Solved

MS Access linked tables with the SQL 2016 Always Encrypted

Posted on 2016-10-12
11
147 Views
Last Modified: 2016-10-16
Is it possible to use MS Access linked tables with the SQL 2016 Always Encrypted feature? I created a test table in SQL 2016 that has encrypted fields, and I've set the ODBC connection permissions. I can't seem to find any documentation beyond that specific to working in MS Access.
0
Comment
Question by:Michael Murphy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
11 Comments
 
LVL 13

Expert Comment

by:Nakul Vachhrajani
ID: 41841461
MS Access and MS SQL Server are two different DB platforms. Hence, you will not be able to use functionality provided by one (SQL Server) in another (Access).
0
 
LVL 85
ID: 41841720
The encryption/decryption is performed by the ADO.NET drivers, so no, you would not be able to do this.

See these articles for more in-depth information about this feature:

http://www.sqlmvp.org/always-encrypted-in-sql-server-2016/
http://www.databasejournal.com/features/mssql/exploration-of-sql-server-2016-always-encrypted-part-1.html
1
 

Author Comment

by:Michael Murphy
ID: 41841835
I'd initially read that "The only driver that can successfully support Always Encrypted feature is .NET 4.6". Then when doing some research for implementing always encrypted in our asp.net application I ran across this post https://msdn.microsoft.com/en-us/library/mt637351(v=sql.110).aspx titled "Using Always Encrypted with the Windows ODBC Driver".

We also have an Access application.  Since we use a Windows ODBC Driver to connect our Access front end to a SQl back end I thought there might be a way to make the always encrypted feature to work in that scenario. It would be great if the encryption could work in both applications.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 13

Expert Comment

by:Nakul Vachhrajani
ID: 41841943
The article (https://msdn.microsoft.com/en-us/library/mt637351(v=sql.110).aspx) actually refers to clients using ODBC drivers, i.e. if a client uses ODBC connections, then Always Encrypted can be supported when accessing/working with data on an AlwaysEncrypted database.

Always Encrypted allows client applications to encrypt sensitive data and never reveal the data or the encryption keys to SQL Server or Azure SQL Database.

The pre-requisite first step in this article is to enable AlwaysEncrypted on the database (server-side operation) and this is only supported for SQL Server & Azure SQL Database.

The challenge with Access is that it has a totally different paradigm for data access, storage and manipulation when compared to SQL Server. Access is more of a file storage for local operations rather than a centralized database which is what makes it difficult to implement AlwaysEncrypted in Access.
0
 

Accepted Solution

by:
Michael Murphy earned 0 total points
ID: 41842222
With the new ODBC 13.1 driver, tweaking the new settings, and also importing the certificate from the sql server onto the client machine the linked tables will work.

In MS Access I've been able to read, edit, and insert all fields within a linked table that has Always Encrypted columns. It is linked via ODBC from the SQL Server.
0
 
LVL 13

Expert Comment

by:Nakul Vachhrajani
ID: 41842532
I am not convinced. The traffic between the client and SQL Server would be using Always Encrypted, but I doubt if the traffic between SQL Server and linked Access database is encrypted.

What configuration did you have to do on the Access end to decrypt the Always Encrypted traffic? How did you validate that Access was using Always Encrypted?
0
 
LVL 85
ID: 41843374
Nakul,

I believe the author is referring to an Access application, and not Access in terms of data storage (local or otherwise). In this scenario, Access contains only the Forms, Reports, VBA Code, etc - so it is certainly possible the ODBC method would work, and I see no reason for objecting on those grounds.

If the data is encrypted on SQL Server, but not in the linked Access table, then I believe that would evidence enough that it works ...
2
 

Author Comment

by:Michael Murphy
ID: 41843566
I've tested with the ODBC 11 driver. The encrypted columns are not readable, editable, etc.

I've also tested with the ODBC 13 driver. The encrypted columns are readable, editable, etc. The table is also limited in its operation, as noted in the online documentation regarding the behaviors and limitations for tables with encrypted columns. Such as not being able to sort, etc.

When I try to run sql commands that would work on an unencrypted table, but are supposed to fail when Always Encrypted is enabled, the commands fail with encryption related errors.

My erro early on was that I had not correctly imported the certificate onto the client machine where MS Access is intalled. The certificate is a key piece of the puzzle. The ODBC driver alone will not work.
0
 

Author Comment

by:Michael Murphy
ID: 41843579
Also, Scott describes my scenario perfectly. I tend to just call it front end and back end with linked tables. I'll adjust my explanation in the future.

A lot of the documentation still indicates that the .net connection is the only option, and does not include reference to the new ODBC 13 driver which I was able to get to work in combination with the cert.

I should also note that deleting the linked table in Access, and then making a new linked connection was necessary. Just using the Linked Table Manager to refresh the linked tables after updating the ODBC driver was not sufficient. The Linked Table Manager method left the columns encrypted/unreadable. Replacing the links provided full functionality.
0
 
LVL 13

Expert Comment

by:Nakul Vachhrajani
ID: 41844014
Ok, now I get it. Thank-you, Scott & Michael for clarifying.

I thought Access was also involved as a data storage which is the point I was not convinced about. If Access is just being used as a front-end while the actual data storage was in SQL Server. Sure - that would be a valid case for Always Encrypted :)

Thanks again for the clarification and sorry for the confusion. I no longer have any objections.

Have a wonderful week-end!
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In earlier versions of Windows (XP and before), you could drag a database to the taskbar, where it would appear as a taskbar icon to open that database.  This article shows how to recreate this functionality in Windows 7 through 10.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
In Microsoft Access, learn how to “cascade” or have the displayed data of one combo control depend upon what’s entered in another. Base the dependent combo on a query for its row source: Add a reference to the first combo on the form as criteria i…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question