New Capability  ·  Encryptionizer

Search your encrypted documents.
Natively. Inside SQL Server.

Full-text indexing on encrypted SQL Server FileTables — a capability that native TDE can’t deliver and Always Encrypted breaks entirely. Keep PDFs, Word docs, scans, and attachments encrypted at rest while CONTAINS and FREETEXT queries keep working.

AES-256 at rest iFilter-compatible No second index to secure No app code changes
Start Free Evaluation → Talk to an engineer
Why This Is Hard

Encryption and search usually cancel each other out.

SQL Server’s own encryption models leave a gap for document stores — and third-party tools that fill it typically break full-text search. We closed both.

The Problem

Native SQL Server can’t do this.

FileTables store documents (PDFs, Word, scans) in the file system while exposing them as a queryable table. Full-text indexing reads the raw file bytes through iFilters. But:

  • Always Encrypted breaks full-text search entirely — encrypted columns can’t be indexed.
  • Native TDE protects data files, but FileStream containers have historically been excluded or require Enterprise licensing.
  • SQL Express has no TDE at all — document stores sit in plain text on disk.
  • Third-party file encryption typically corrupts iFilter extraction, making the index useless.
The Encryptionizer Solution

Files stay encrypted. Search keeps working.

Encryptionizer sits between the SQL Server engine and the file system. During full-text index population, iFilters receive the content they need to extract searchable terms. The underlying files remain encrypted at rest, in backups, and on removable media.

  • Documents encrypted with AES-256, FIPS 140-2 validated.
  • CONTAINS and FREETEXT queries work without modification.
  • Zero application code changes — your DMS, EHR, or case-management software runs unchanged.
  • No second system (Elasticsearch, Azure Cognitive Search) to stand up, secure, or audit.
How It Works

Four layers. One transparent flow.

STEP 01

Document lands in FileTable

Application writes a PDF, .docx, or scanned image to the FileTable as usual — via SQL INSERT, Windows file share, or API.

STEP 02

File written encrypted

Encryptionizer intercepts the write. AES-256 ciphertext is what actually lands on disk. Backups of the FileStream container inherit the encryption automatically.

STEP 03

Indexer reads transparently

When SQL Server’s full-text index crawl runs, it calls the appropriate iFilter for each file type. Encryptionizer provides in-memory access so the iFilter can extract terms — the file on disk stays encrypted.

STEP 04

Queries return hits

Your app runs CONTAINS(file_stream, 'HIPAA') — or any other T-SQL full-text predicate — and gets matching documents back. No second index, no external search service, no schema changes.

-- Standard SQL Server full-text query. Works unchanged against encrypted FileTables.
SELECT name, file_stream.GetFileNamespacePath() AS path
FROM   dbo.PatientDocuments
WHERE  CONTAINS(file_stream, '"informed consent" NEAR rhinoplasty')
  AND  creation_time > DATEADD(day, -90, GETDATE());

-- Under the hood: files are AES-256 encrypted on disk. The query returns plaintext hits.
-- No application change. No second search index. No schema rewrite.
Who Uses This

Built for regulated, document-heavy workloads.

Any organization that must simultaneously encrypt, retain, and search documents — without sending them to a cloud search service.

⚖️

Legal & E-Discovery Platforms

Attorneys need to search across thousands of encrypted case documents — contracts, depositions, exhibits, email archives — during active litigation or compliance review.

“We can produce a hit-list in seconds for any `NEAR` or phrase query across a 400-GB encrypted document store.”
🏥

Healthcare DMS & EHR Add-ons

Scanned intake forms, signed consents, imaging reports, and referral letters — PHI that must be encrypted under HIPAA while remaining searchable for clinicians and billing.

“HIPAA requires encryption at rest. Clinicians require search. This is the only way to have both on-prem.”
🛡️

Government & Regulated Contractors

CUI, ITAR, and CMMC-regulated document stores that can’t move to commercial cloud search services. Must stay in controlled, encrypted, on-prem SQL Server environments.

“Our contract explicitly prohibits sending document content to third-party SaaS indexing services.”
📦

ISVs & OEMs on SQL Server

Document-management, claims-processing, and case-management platforms that embed SQL Server and ship to regulated customers. Embed Encryptionizer via OEM license and make encrypted-search a selling point.

“Our customers get HIPAA-ready document search out of the box — no separate procurement cycle.”
Side by Side

The alternatives — and why they fall short.

Every approach trades something. This one doesn’t ask you to choose between compliance, search, or simplicity.

Capability Encryptionizer Native TDE Always Encrypted Azure Cognitive Search
Files encrypted at rest on disk Partial (FileStream gaps) Depends on storage
Full-text search works on encrypted content
Runs on SQL Server Express Partial
Keeps data on-premise (no cloud required)
No second index or service to secure
Works with CMMC / ITAR / CUI workloads Edition-dependent GovCloud only
No application code changes required
FIPS 140-2 validated cryptography Tier-dependent

Comparison reflects publicly documented behavior as of 2026. Individual deployments vary — we’ll validate against your specific environment during the free evaluation.

FAQ

Questions we get the most.

What file types can be indexed?

Anything a SQL Server iFilter supports: PDF (with Adobe or Foxit iFilter), Microsoft Office (.docx, .xlsx, .pptx), plain text, HTML, XML, and OCR’d image formats. Installing a third-party iFilter for scanned medical images or CAD files works the same way.

What’s the performance overhead?

For AES-256 file decryption on modern multi-core servers, the typical overhead during index population is in the low single-digit percent range, and query-time overhead is often unmeasurable because the index itself is unchanged. We’ll benchmark on your hardware during the free evaluation.

What happens to the full-text index itself — is it encrypted too?

The full-text catalog lives inside the database file, which Encryptionizer encrypts as part of the standard database-level TDE. So the index, the FileTable metadata, the backups, and the underlying document bytes are all encrypted at rest.

Can I point my existing DMS or EHR at this without changes?

Yes. Encryptionizer is transparent to applications. If your software already uses FileTables and full-text search against SQL Server, it will continue to work exactly as it does today — with encrypted files on disk instead of plaintext.

Is there an OEM / ISV embedding license?

Yes. If you’re shipping a product that embeds SQL Server and you’d like your customers to get encrypted-document-search by default, we license Encryptionizer on a distribution-volume basis. Contact sales for a quote tailored to your deployment model.

NetLib Security
AI Assistant · Online
Hi! I'm the NetLib Security assistant. I can answer questions about our encryption solutions, HIPAA compliance, Encryptionizer, and more. How can I help you today?