Can I use Truecrypt to protect an SQL 2008 database so that only my application can see the data?

Question

I want to distribute an SQL 2008 database to a client and set it up so that the only way to access the data in it is through my application. Can I use Truecrypt for that? Can you think of any other solution?

Answer 1

I've taken a quick look at Truecrypt and it doesn't look like the tool for what you're trying to do.

You should look at SQL Server Logins, Users and Roles. How you use these will depend on how you setup your database connection. If you can provide more information about how you are connecting I can try and help further.

Answer 2

No, is not possible. This is asked repeatedly and the answer is the same: protecting the data so that is only usable from one application is DRM and SQL Server does not do DRM. There is no cryptographic/encryption or authorization/permission mechanism you can set in place to prevent a legitimate administrator from seeing and using the data as it sees fit, including granting other applications permission to use your application data.

At worst you can encrypt all the data in the client and store only the encrypted blobs, thus rendering it unusable to any other application. This approach looses any advantage a relational database offers (data cannot be searched, queried, indexed, foreign relations and constraints cannot be enforced etc) rendering the SQL Server absolutely useless for your application. Besides, even in this case, short of using a hardware module, the data is not trully protected since the application cannot embed any encryption key in a secret fashion (any key embeded in the app, no matter how obfuscated it is, can be retrieved, always) and relying on the user to provide a secret password means the user can simply decrypt the data.

If you want to use a DRM scheme (which you are actually asking for), use a DRM product.