NetLib's (a subsidiary of Communication Horizons) Encryptionizer is an encryption application used to protect data at rest in an SQL Server or MSDE database. Separate versions of the product are offered for each (i.e., Encryptionizer for SQL Server, and Encryptionizer for MSDE), as well as a third version, Encryptionizer DE (Desktop Edition) that can be used to protect individual application files. Additional offerings from the vendor include Encryptionizer DE/16 for 16-bit Windows legacy applications, and Encryptionizer for Pocket PC, which is listed as "coming soon" on the vendor's Web site. This briefing focuses on the Encryptionizer for SQL Server offering; however, the other products are similar in terms of their basic capabilities (visit the vendor's Web site for full details).

The basic premise of the product is to provide encryption protection for the data that actually resides on the disk; using one of two methodologies (or both).

Using automatic whole database encryption, the entire DB is encrypted using a selected encryption type and key (multiple algorithms and key lengths are supported, including DES, 3DES, AES, and Blowfish with 64, 128 or 256 bit keys; the international version is limited to 128 bit keys). Once the data itself is secured, the SQL Server instance itself is secured such that it--and it alone--will be able to access the encrypted data and provide it in a readable form to applications without requiring that the applications themselves be altered. If the DB itself is copied and opened by another SQL Server instance it will be unreadable in that instance.

The vendor notes multiple possible methods for storing and/or providing the access key such that the secured server can unencrypt the data; including embedding them into the application with an API call; storage in a profile on a local drive, floppy disk, USB drive, or CD (in which case the user must insert the disk before SQL server will start up; said disk is needed only for the startup and not the entire time the server is up); storage in a profile on a proxy machine; or manual entry of the key via an operator. The vendor also provides a "Secret Sharing Protocol" method that allows the key to be split amongst two or more people such that no one person knows the entire key. Once secured, the server will automatically decrypt data as it reads it from disk and encrypt it before it is written; this encryption applies to both the data in the DB as well as data written from SQL Server to disk and tape backups, as well.

The second form of data encryption is applied at the column level of the data; specific columns can be protected from users or groups who would otherwise have access to the table that holds them. Such column level encryption can be accomplished via a point-and-click Column Encryption Manager and, according to the vendor, "...in most cases can be transparent to existing applications;" or APIs that allow for the incorporation of column-level encryption directly within applications.

Encryptionizer is available now. The vendor states that FIPS 140-2 validation is expected in early 2009.