Encryption during transit - MSSQL

ChristofferL181 · November 5, 2020, 6:21am

Hi guys,

We are looking into using MSSQL as backend storage. One of our discussions is about encryption due to the sensitive nature of the stored secrets.

From what I can read there is no alternative to encrypt the actual network traffic between Vault and a MSSQL cluster. I know that the Vault secret is encrypted but still can’t find a way to enable encryption for all the traffic.

My main worry is that the MSSQL credentials is sent in cleartext during some stage of the connection between Vault and the MSSQL cluster and also that there could be a way to alter the information being sent.

Can anyone shed some light on this?

Thanks!

rgevaert · November 5, 2020, 8:00pm

I would assume you need to enable TLS

ChristofferL181 · November 6, 2020, 6:45am

Hi,

Thanks for your reply!

TLS is the way to go, yes. I see no settings for this in the MSSQL configuration of Vault. Does the MSSQL driver in Vault have support for TLS? Is it on per default?

rgevaert · November 6, 2020, 8:32am

I have no mssql setup so I can’t answer, I would assume it is baked in the go library that is being used. Try it