It is possible to apply encryption to the database and make it fully transparent for the 3rd party application without the source code. Currently it will only work with desktop applications (32 and 64-bit platforms). Desktop limitation appears only because existing client DLL can only show a dialog box and prompt for a password. This is in most cases not suitable for web applications or system services. For example it can be used for SQL Server Management Studio (SSMS) to edit the database after it has been encrypted. However there is some preparation work required beforehand.

Overview

We have a special DLL called dbd_clnt.dll which intercepts connections to SQL Server and prompts the user for a password, although at the moment only without SSL can be intercepted. When an application makes a connection to the SQL server, dbd_clnt.dll intercepts it and waits for Server authorization. After authorization has been completed successfully, the DLL checks to see if DbDefence is installed on the connected server and also to see if there are any protected databases present. If there are protected databases found the DLL shows following dialog:

At this point you can unlock access to the databases. The main interface is quite simple and straightforward. Currently there is no warning shown if you enter an invalid password. Checking "Do not ask anymore" will turn off prompts for that process until it restarted.

Note: On SQL Server Express databases has default option called AUTO_CLOSE ON. This feature is always ON when you attach or create database. If it is ON then SQL Server unloads unused database from memory. This behavior may lead to confusion. dbd_listdb will not display unloaded database and Client DLL will not display login dialog as expected.

To solve the problem set AUTO_CLOSE OFF for encrypted database as:

ALTER DATABASE DbName SET AUTO_CLOSE OFF

You need to do it every time where database attached to server. You can see current AUTO_CLOSE state for databases with the command: select name,is_auto_close from sys.databases

By default this option is OFF on SQL Server editions other than Express.

Configuration

First of all, the DLL must be loaded into the target process. If we consider the situation when no source code available or we do not want make any changes.

Starter Application

DbDefence installation includes application called starter.exe. It can be found in client folder of DbDefence installation folder. It can start target application and inject dbd_clnt.dll to intercept database connection. Create usual shortcut and point to starter.exe add parameter -a and insert path to the application to start. For example for SSMS for SQL Server 2008 the target path (default installation paths):

"C:\Program Files (x86)\DBDefence for SQL Server\client\starter.exe" -a "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"

Unfortunately shortcut window width does not display all field on the screenshot.

After you start SSMS from that shortcut SSMS starts normally.

Additionally starter.exe has the following options:

-p Parameters for program to start. If your application requires parameters you specify it here. Example: -p " /a /b -f somefile.exe".

-i Specify which DLL to inject. By default, starter.exe defines required DLL by itself depending on the platform of the project (X86 or X64). Two DLLs for X86 and X64 platforms located in %DbDefence installation path%\client folder. Example: -i "c:\my dlls\special.dll"

Automatic login

There is an option to supply database and password automatically without any user interaction. Contact support@dbdefence.com if this option is required.