We are currently in the process of testing the recently released HVR 6.1 MS SQL Server TDE support.

The configuration involves a Source DB residing in a PCI Zone where security controls and PCI audit processes are stringent.

To comply with PCI audit and controls, we have managed to keep the HVR Hub outside of the PCI Zone.  However in order to do so, we must deploy an HVR agent on the Source MS SQL Server DB Cluster.  We use SSH reverse-tunnel to allow the DB node to initiate the connectivity from PCI zone to the HVR Hub where it opens a local port on the HVR Hub which the HVR Hub server uses to connect to the HVR agent.

The above deployment configuration has been reviewed and approved by our Teranet Risk Management and external PCI Auditors.

However, the TDE feature introduces a new challenge.  We must not store the MS SQL Server TDE certificate, private key and private key secret on the HVR Hub to mitigate the possibility of security breaches and the unwanted release of these details. 

Therefore, we require an option to have the certificate, its private key and secret stored locally on the HVR agent (DB Node) in a secure location and where warranted encrypted at rest.  This information should not be sent to or be persisted to disk/database in the HVR Hub.   

When the certificate, private key and password are required by the HVR agent to decrypt the contents of the MS SQL Server Transaction log in a capture/integrate configuration, the HVR agent should retrieve this information locally instead of requesting it from the HVR Hub.

This enhancement will allow us to comply with Risk Management and PCI Audit requirements.

Furthermore, this feature supports the future HVR HVA SaaS architecture where it would be highly desirable to keep sensitive DB encryption certs/keys/passwords local to the HVR agent (DB Node) rather than having them stored in the HVR HVA Hub SaaS service.

Please consider this enhancement request high priority.  In the meantime, we will be following up with HVR Support to ensure we can demonstrate that ALL private key passwords persisted in the HVR Hub metastore DB are fully secured and next to impossible to reverse engineer, even if the HVR Hub server itself is breached.