How to configure SQL encryption

To ensure secure transmission of data between Cayosoft Guardian and the external SQL server, encryption options are available.

NOTE: Upon service start, Cayosoft Guardian will raise an information alert if the connected external SQL Server does not use encryption.

There are the following encryption options:

• False: Disables encryption for SQL connections. This setting offers the lowest CPU and is suitable for trusted internal environments where network-level protection (e.g., VPN, IPsec) is already in place.

  Use when: Encryption is not required, typically in development or isolated lab environments with no external exposure.

• True: Enables encryption using TLS /SSL. The SQL Server must support encrypted connections and have an appropriate certificate.
  Use when: Connecting to SQL Server in production or over untrusted networks. This setting helps protect data integrity and confidentiality.

• Strict: Enforces encryption and requires the SQL Server to present a trusted certificate. If the certificate cannot be verified, the connection will fail.

  Use when: Compliance or security policies require strict validation of encryption, such as in regulated industries or high-security environments.

Initial wizard database encryption options

During the initial configuration of Cayosoft Guardian, you can choose how the connection to the external SQL Server is secured. The Encrypt option in the setup wizard defines whether traffic between Cayosoft Guardian and the SQL Server is encrypted, helping protect sensitive data in transit.

To configure the encryption options:

1. In the Configure database section of the initial setup wizard.

2. Enter the SQL Server name, database name, and login credentials.

3. Use the Encrypt drop-down to select the encryption level.
   
   

   
   

4. Click Next to proceed.

NOTE: Encryption is enforced by default. Selecting True or Strict is recommended to align with security best practices.

Encryption options when creating a new database

1. Navigate to Guardian > Settings > System Databases / Archive Databases.

2. Select the database you'd like to configure (e.g., Change history).

3. Click Create SQL Database or Create Azure SQL Database.
   
   
   
   

4. Use the Encrypt drop-down to select the encryption level.

5. Click Yes to save the changes.

SQL encryption when switching databases

When switching history and configuration databases:

1. Navigate to Guardian > Settings > System Databases / Archive Databases.

2. Select the datasbase you'd like to configure (e.g., Change history).

3. Click Switch to existing historyor Swithch to existing configuration.

4. Use the Encrypt drop-down to select the encryption level.
   
   
   

   Or,

5. For existing database connections, you can update the encryption with this SQL command:

UPDATE [ProductDatabases]
SET [connectionParameters] ='TrustServerCertificate=true;Encrypt=true'
WHERE id ='ADBE4F48-B808-4C2D-B9A7-B72098DE44D4'

TIP: Replace the GUID with your actual database ID.