Skip to content

Product Overview

Goal

Deliver a transparent, policy-driven SQL network proxy that intercepts TDS/SQL traffic to apply on-the-fly encryption, tokenization, and selective access—without application changes—backed by enterprise KMS/HSM (CipherTrust Manager, Luna HSM) to reduce data-exposure risk and accelerate compliance.

Features

MVP (Phase 1)

  • Transparent SQL network proxy for Microsoft SQL Server (TDS).
  • Column-level transformation policies: FPE (FF1/Card10/Card62), AES (decrypt on read / encrypt on write), masking.
  • Selective decryption by role (policy: schema.table.column → action per DB user).
  • Pass-through authentication; proxy focuses on data paths (SELECT/INSERT/UPDATE/DELETE basic coverage).
  • External key custody: CipherTrust Manager / Luna HSM (key create/store/rotate); local dev keys for lab.
  • Observability: structured logs, basic telemetry (request IDs, timings, policy hits).
  • TLS via HAProxy fronting the proxy (recommended pattern); direct TLS optional.
  • Licensing & activation: online/offline, pre-expiry warnings (10/5 days).
  • Admin GUI for config (proxy-config-manager) + file-based config.properties.

Advanced (Planned)

  • Oracle mode (SQL*Net) with feature parity when feasible.
  • Tokenization services (format-preserving tokens with referential integrity).
  • Deterministic encryption for joins/lookups; HMAC integrity tags.
  • RBAC integration with enterprise IdP groups (mapping to policy roles).
  • High Availability patterns (active/active behind L4).
  • Deep telemetry (Prometheus/Grafana, SIEM dashboards, tracing).
  • Granular SQL coverage (more TDS messages, bulk ops, edge types).
  • Performance profiles & auto-tuning (buffer strategies, crypto pipelines).
  • PQC-ready key wrapping (future).

Supported Platforms & DBs

Platforms - Linux (RHEL/Rocky/Ubuntu), Windows Server 2019+.
- Java JDK 17+ (HotSpot/OpenJDK).
- Optional HAProxy for TLS termination.

Databases / Drivers - SQL Server (primary): ODBC/JDBC/EF Core clients (no app changes).

Architecture at a glance

flowchart LR
  A[Client / ORM] --> P[SQL Proxy v2]
  P --> D[(SQL Server)]
  P -.-> E[Policy Engine]
  P -.-> K[CipherTrust / Luna HSM]
  P -.-> L[Telemetry & Logs]

Select query flow: To decrypt data requires a valid db user defined in the allowed users to see data in clear, otherwise encrypted columns will be retunred encrypted. 

sequenceDiagram
  participant Client
  participant Proxy as BIP SQL Proxy v2
  participant DB as SQL Server
  Client->>Proxy: TDS PreLogin/Login
  Proxy->>DB: Forward credentials
  DB-->>Proxy: Login OK
  Client->>Proxy: SELECT ... (sensitive columns)
  Proxy->>DB: SELECT ...
  DB-->>Proxy: Rowset (enc values)
  Proxy->>Proxy: Apply policy (decrypt/mask)
  Proxy-->>Client: Rowset (authorized view)

Insert operation flow using BIP: All insertions will encrypt the column defined in properties to be protected. 

sequenceDiagram
  participant Client
  participant Proxy as BIP SQL Proxy v2
  participant DB as SQL Server
  Client->>Proxy: Insert operation
  Proxy->>DB: Forward inser operation intact
  DB->>Proxy: Receives commit ok
  Proxy->>Client: Forwards commit ok
  Proxy->>DB: Ispect in real time non encrypted rows
  Proxy->>DB: Encryps columns designed to be encrypted

Insert operation flow without using BIP: All insertions will encrypt the column even though the client writes directly to the DB. 

sequenceDiagram
  participant Client
  participant Proxy as BIP SQL Proxy v2
  participant DB as SQL Server
  Client->>DB: Insert operation
  DB->>Client: Commit result ok
  Proxy->>DB: Ispect in real time non encrypted rows
  Proxy->>DB: Encryps columns designed to be encrypted

Update/Delete operation flow: Update/Delete that uses protected column as a parameter in the direct query 

sequenceDiagram
  participant Client
  participant Proxy as BIP SQL Proxy v2
  participant DB as SQL Server
  Client->>Proxy: TDS PreLogin/Login
  Proxy->>DB: Forward credentials
  DB-->>Proxy: Login OK
  Client->>Proxy: UPDATE/DELETE ... (sensitive columns)
  Proxy->>Proxy: Apply policy (decrypt/mask)
  Proxy->>DB: UPDATE/DELETE ...
  DB-->>Proxy: Update/Delete confirmation ok  
  Proxy-->>Client: Forwards Update/Delete confirmation ok

Key operations

  • Inline & transparent: intercepts packets/SQL statements; apps and schemas stay intact.
  • Policy-driven: column rules applied on the fly (decrypt for authorized db-credentials, mask/tokenize otherwise).
  • Externalized keys: crypto material never persists in proxy storage; rotation is auditable.
  • Mandatory passthrough operations: Selects, Update and Delete operations requires to go via BIP SQL proxy since these operation will check if db-credential has right to see data either in clear or not.

Constraints - Conditions

  • Initial focus: SQL Server; MySQL, PostgreSQL and Oracle coverage follows later phases.
  • Authentication is pass-through (proxy is not an IAM provider).
  • Some vendor-specific SQL edge cases may require policy exceptions or parser tuning.
  • Throughput and latency depend on hardware, policy density, and crypto provider latency.
  • Encrypting numbers is solely using FPE card10 and marking as encrypted set the original number as a negative number along with the numerical representation of encryption.
  • Marking alphanumeric encryption using FPE place a hash (#) as a prefix of the ciphertext, so the BIP proxy can detect what is encrypted and what is not.

Warning

The minimum alphanumeric length to encrypt using FPE (Card26) is four (4) characters. - Partial searches (e.g., LIKE '548%') on encrypted columns are not applicable. - Math/sorting on encrypted columns may not be feasible. - Current focus on direct queries (equality/read).

Glossary

Term Definition
TDS Tabular Data Stream, SQL Server wire protocol used by clients/drivers.
FPE (FF1/Card10/Card62) Format-Preserving Encryption (NIST FF1); Card10 = numeric 0–9 alphabet for PAN-like fields; Card62 = alphanumeric characters A-Z, a-z, 0-9.
Policy (schema.table.column) Rule mapping that declares how to transform a given column and who may see cleartext.
KMS/HSM Key Management System / Hardware Security Module for secure key generation, storage, and rotation.
Pass-through auth Proxy forwards client authentication to the DB; it doesn’t re-authenticate users itself.
RBAC Role-Based Access Control; roles used to decide decrypt/mask behavior per column.
HAProxy TLS Pattern where TLS terminates at HAProxy, which forwards clear TCP to the proxy listener.
SQL Structured Query Language.
Encryption Key A piece of information (bits) used by algorithms to encrypt/decrypt data, readable only to authorized parties.