DeterministicEncryption Class
Provides deterministic encryption services. In deterministic encryption, identical plain text values
are always encrypted into identical cipher text.
Namespace:
Walter.CypherAssembly: Walter.Cypher (in Walter.Cypher.dll)
Remarks
Deterministic encryption is particularly useful in scenarios such as:
- Store Sensitive Data on Third-party Servers: Critical for GDPR compliance when using cloud services without control over the hardware or database encryption mechanisms.
- Enable Grouping and Searching: Allows the encrypted data to be searchable and groupable, essential for database operations while maintaining data security and privacy.
Benefits and Considerations:
- Data Privacy and Security: Ensures secure storage of sensitive data such as personal information or corporate data.
- Searchability and Operational Efficiency: Facilitates efficient database operations like indexing, searching, and grouping on encrypted data.
- Compliance with Regulations: Meets GDPR and other data protection regulations for data processed or stored in external or cloud systems.
When to Use:
- GDPR Compliance in Cloud-Based Storage: Ideal for GDPR-compliant data storage in cloud-based databases.
- Maintaining Operational Capabilities: Useful when the ability to search or group data in the database is needed for operational efficiency.
Important Considerations:
- Not a One-Size-Fits-All Solution: Should be used judiciously as it's not always the preferred encryption method but is effective in specific scenarios.
- Secure Key Management: The effectiveness of deterministic encryption relies heavily on secure key management practices.
Deterministic encryption strikes a balance between operational functionality and data security, making it a valuable option for specific scenarios in cloud-based applications and services, especially for GDPR compliance.
Examples
Deterministic Encryption for GDPR Compliance in Cloud Environments
// Sample to demonstrate GDPR-compliant encryption of sensitive data using deterministic encryption // for storage in a third-party hosted SQL server. // Define the company name to be encrypted. string companyName = "Undefined Corp"; // Create an instance of the symmetric encryption service with a secure password and salt. // Note: In a production environment, securely manage the password and salt, avoiding hardcoded values. var encryptionService = new Walter.Cypher.DeterministicEncryption( password: "My $ectet Pa$w0rd", salt: "123456789+*ç%&/" ); // Encrypt the company name into a byte array. byte[] encryptedBytes = encryptionService.Encrypt(companyName.ToBytes()); // Prepare the T-SQL command for data insertion, using the encrypted company name. var tsql = @$" declare @UndefinedCorp VARBINARY(64) = {encryptedBytes.ToSqlBinaryString()}; declare @checksum int = CHECKSUM(@UndefinedCorp); // Check for the existence of the company and insert if not present. if not exists(select * from [dbo].[Companies] where [CompanyName] = @UndefinedCorp and [cs_CompanyName] = @checksum) BEGIN INSERT [dbo].[Companies] ([CompanyName],[cs_CompanyName],[TrueUpDays],[AutoInvoice],[ApplicableLicenseExempt]) Values(@UndefinedCorp, @checksum, -1, 0, 1); END "; // Execute the T-SQL command to store the encrypted data. using var con = new SqlConnection(config.GetConnectionString("Billing")); using var cmd = con.CreateCommand(); cmd.CommandText = tsql; cmd.CommandType = System.Data.CommandType.Text; con.Open(); cmd.ExecuteNonQuery();