ECS Linux Fargate with AlwaysEncrypted


I have an existing .NET application that uses the AlwaysEncrypted driver to perform encryption and decryption when sending queries to SQL Server. Moving forward, I would like to containerize the application and run it on a Linux-based container on ECS Fargate instead of Windows. Is this possible?

asked 3 months ago87 views
1 Answer
Accepted Answer

The AlwaysEncrypted feature requires you to store the master key in the Windows certificate store, which is only supported on the Windows OS. In this case, a Linux-based container will not be suitable because it lacks the feature to have the Windows certificate store.

AWS Fargate does support hosting Windows containers as well. For your application that is using the AlwaysEncrypted driver, you may consider hosting it on a Windows container. Refer to the Dockerfile code below, which will import and install the master key certificate and password. This process will then allow the driver to transparently encrypt sensitive data before passing it to the SQL Server engine and transparently decrypt data retrieved from encrypted database columns.

Please note that the example below is importing the certificate and password in a clear text file. You may consider integrating with AWS Secrets Manager or Systems Manager to retrieve them. Refer to for more information.

FROM AS base
# Import certificate and password. Not recommended for staging or production workloads. 
COPY ./WebWIthAE/certs/AECert.pfx C:/certs/AECert.pfx
COPY ./WebWIthAE/certs/pwd.txt C:/certs/pwd.txt

# Install Always Encrypted cert to local Windows Certificate Store
RUN powershell.exe -Command "\
$pwd = ConvertTo-SecureString -String 'password' -Force -AsPlainText; \
Import-PfxCertificate -FilePath C:\certs\AECert.pfx -Password $pwd -CertStoreLocation Cert:\CurrentUser\My;\
Import-PfxCertificate -FilePath C:\certs\AECert.pfx -Password $pwd -CertStoreLocation Cert:\LocalMachine\My"

# Grant the read access to the cert
RUN powershell.exe -Command "\
$CertObj= Get-ChildItem Cert:\LocalMachine\my\1E91974116DA0F4415930F1A0B946CA2621A99CC; \
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertObj); \
$fileName = $rsaCert.key.UniqueName; \
$path = \"c:\programdata\microsoft\crypto\rsa\machinekeys"\$fileName\"; \
$permissions = Get-Acl -Path $path; \
$user = \"Everyone\"; \
$permission = \"read\"; \
$rule = new-object security.accesscontrol.filesystemaccessrule 'Everyone', 'read', allow; \
$permissions.AddAccessRule($rule); \
Set-Acl -Path $path -AclObject $permissions"
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions