SQL Azure – Requiring Encrypt=True

(Many thanks to Peter Gvozdjak and Dan Benediktson here at Microsoft who worked with me on this issue and provided the bulk of information for this post)

Recently I had a customer inquire about some performance tuning he wanted to do for SQL Azure, and as part of that he found that it was possible to remove the “Encrypt=True” setting on the ADO.NET connection to SQL Azure. We have always stated that the connections to SQL Azure are encrypted, so being able to remove this string surprised him. (More on that reference here: http://msdn.microsoft.com/en-us/library/windowsazure/ff394108.aspx)

It is true that all connections to SQL Azure are encrypted – whether you use the Encrypt=True string or not. We’ll force the connection to encrypt even if you don’t, or we won’t route it. However, you do want to use that string, for a couple of reasons.

Whenever you include the Encrypt=True string, the connection will require that your client validate the Certificate that SQL Azure presents, to ensure that key is the one used by Microsoft. If you don’t include that string, it’s possible – not probable, but possible – that someone could set up a false DNS to cause your certificate to be validated elsewhere.

So don’t give the bad guys a way in – there is no performance gain (other than perhaps if the bad DNS is in your own building!) by leaving it off. Follow the best practice of using Encrypt=True.

There’s more on connection management for things like retries and so on here: http://social.technet.microsoft.com/wiki/contents/articles/sql-azure-connection-management.aspx

Comments (1)

  1. Aleksandr Krymskiy says:

    It would be great if the encrypt_option column in sys.dm_exec_connections on Azure DBs would reflect this. I am seeing FALSE throughout…