Encryption during transit - MSSQL

ChristofferL181 · November 5, 2020, 6:21am

Hi guys,

We are looking into using MSSQL as backend storage. One of our discussions is about encryption due to the sensitive nature of the stored secrets.

From what I can read there is no alternative to encrypt the actual network traffic between Vault and a MSSQL cluster. I know that the Vault secret is encrypted but still can’t find a way to enable encryption for all the traffic.

My main worry is that the MSSQL credentials is sent in cleartext during some stage of the connection between Vault and the MSSQL cluster and also that there could be a way to alter the information being sent.

Can anyone shed some light on this?

Thanks!

rgevaert · November 5, 2020, 8:00pm

I would assume you need to enable TLS

ChristofferL181 · November 6, 2020, 6:45am

Hi,

Thanks for your reply!

TLS is the way to go, yes. I see no settings for this in the MSSQL configuration of Vault. Does the MSSQL driver in Vault have support for TLS? Is it on per default?

rgevaert · November 6, 2020, 8:32am

I have no mssql setup so I can’t answer, I would assume it is baked in the go library that is being used. Try it

Topic		Replies	Views
MSSQL Kerberos token login Vault	1	424	July 20, 2021
Database Secret Engine: MS SQL - AlwaysOn Availability Groups Architecture Vault	2	848	May 31, 2021
SQL Server certificates (Key Usage / KeySpec Exchange) Vault	0	509	October 23, 2023
HCSEC-2023-12 - Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File Security security-vault	0	7332	March 30, 2023
How does a custom secret backend benefit from Vault's encryption? Vault	2	499	November 27, 2019

Encryption during transit - MSSQL

Related topics