Hello @Gaurav Singh Gagwari ,
Transparent Data Encryption(TDE) needs not configure any features/settings on SharePoint. And TDE is designed to protect data by encrypting the physical files of the database.
Please the following steps to enable TDE:
1st: Create the DMK
- Symmetric key used to protect private keys and asymmetric keys
- Protected itself by Service Master Key(SMK), which is created by SQL Server setup
-
Use syntax as follow:
USE master;
GO
CREATE MASTER KEY ENCRYPTION
BY PASSWORD='CrypticTDEpw4CompanyABC';
GO
2st: Create the TDE cert
- Protected by the DMK
- Used tp protect the DB encryption key
-
Use syntax as follow:
USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert
WITH SUBJECT='CompanyABC TDE Certificate';
GO
3st: Backup the TDE cert
- Without a backup, data can be lost
- Backup creates two files, the Cert backup and the Private Key File
-
Use following syntax:
USE master;
GO
BACKUP CERTIFICATE CompanyABCtdeCert
TO FILE = 'C:\temp\CompanyABCtdeCert.cer'
WITH PRIVATE KEY (file='C:\temp\CompanyABCtdeCert.pvk',
ENCRYPTION BY PASSWORD='CrypticTDEpw4CompanyABC!');
GO
4st: Create the DEK
- DEK is used to encrypt specific database
- One created for each database
- Encryption method can be chosen for each DEK
-
Use following syntax:
USE [YourContentDB Name];
//USE [SharePoint_AdminContent_f92a9af1-5581-4c6e-a0b0-f8dfb1bbe127];
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert;
GO
5st: Encrypt the DB
- Data encryption will begin after running command
- Size of DB will determine time it will take, can be lengthy and could cause user blocking
-
Use following syntax:
USE [YourContentDB Name];
//USE [SharePoint_AdminContent_f92a9af1-5581-4c6e-a0b0-f8dfb1bbe127];
GO
ALTER DATABASE [YourContentDB Name]
//ALTER DATABASE [SharePoint_AdminContent_f92a9af1-5581-4c6e-a0b0-f8dfb1bbe127]
SET ENCRYPTION ON;
GO
6st: Monitor Progress
- State is Returned
- State of 2 = Encryption Begun
- State of 3 = Encryption Complete
-
Use following syntax:
*USE [YourContentDB Name]
//USE [SharePoint_AdminContent_f92a9af1-5581-4c6e-a0b0-f8dfb1bbe127];
GO
SELECT * FROM sys.dm_database_encryption_keys
WHERE encryption_state =3;
GO
Restoring Encrypted DB to another Server:
1st: Create new Master Key on Target Server(Does not need to match source master key)
2st: Backup Cert and Private Key from Source
3st: Restore Cert and Private Key onto Target(No need to export the DEK as it is part of the backup)
USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert
FROM FILE = 'C:\temp\CompanyABCtdeCert.cer'
WITH PRIVATE KEY(
FILE ='C:\temp\CompanyABCtdeCert.pvk',
DECRYPTION BY PASSWORD ='CrypticTDEpw4CompanyABC!');
GO
4st: Restore DB
Thanks,
Echo Du
============
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.