Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Here are some notes on “SQL Server 2008 Transparent Data Encryption (TDE)” I took while attending an advanced class on SQL Server taught by Greg Low (from https://sqlblog.com/blogs/greg_low/ and https://www.sqldownunder.com/).
Please note that, although these notes were taken during the class, I might have added some of my own (mis)interpretation :-). Always check your facts on Books Online (I try to provide links when applicable). As with anything else you get from a blog, never use any of this in production before you thoroughly validate it a test environment. Please keep in mind that some of those will be hard to follow without some pre-requisite knowledge and the right context. Reading the post from top to bottom will help.
Transparent Data Encryption (TDE)
- Protecting data at rest, no changes to app, low performance cost
- Once TDE is enabled, pages are encrypted on write
- Trading CPU for security, performance impact is minor
- See https://msdn.microsoft.com/en-us/library/bb934049.aspx
- CREATE DATABASE ENCRYPTION KEY ALGORITHM=…
- See https://msdn.microsoft.com/en-us/library/bb677241.aspx
- ALTER DATABASE … SET ENCRYPTION ON
- Must secure key, which is required for backups
- See https://msdn.microsoft.com/en-us/library/ms178578.aspx
Impact
- Indexing still works.
- Transaction log is also encrypted.
- Tempdb is encrypted when your first user database is encrypted.
- Compression and encryption don’t go well together. Can’t compress encrypted data much.
- Instant File Initialization is disabled.
- Filestream data is not encrypted.
- Consider impact on 3rd party tools.
Backup Encryption
- Encrypted databases backups are encrypted
- Encryption key must be available to restore backups (certificate + private key)
- No option to encrypt only at backup time.
Demo
- CREATE DATABASE…
- CREATE TABLE… with some char column
- INSERT… some recognizable string
- sp_detach…
- Look at the database at rest using Notepad (?!), look for string
- CREATE MASTER KEY…
- CREATE CERTIFICATE…
- CREATE DATABASE ENCRYPTION KEY…
- ALTER DATABASE…SET ENCRYPTION ON
- Select * from sys.dm_database_encryption
- Look at encryption_state = 3, encrypted
- sp_detach…
- Look at the database at rest using Notepad (?!), look for string
- Database size does not change… Same number of pages…
Backup/Restore of encrypted database
- On source (re-using from previous demo):
- BACKUP CERTIFICATE … TO FILE=’..’
WITH PRIVATE KEY (FILE=’…’, ENCRYPTION BY PASSWORD=’…’) - BACKUP DATABASE…
- BACKUP CERTIFICATE … TO FILE=’..’
- On target
- CREATE MASTER KEY…
- CREATE CERTIFICATE… FROM FILE
WITH PRIVATE KEY (FILE=’…’,DECRYPTION BY PASSWORD=’…’) - RESTORE DATABASE…
Related blog posts:
Comments
- Anonymous
January 01, 2003
Good post, Jose. You might want to add http://technet.microsoft.com/en-us/sqlserver/dd353197.aspx to your list. There's a TDE How-to video there by Scott Golightly that is pretty good. - Anonymous
January 06, 2014
Pingback from Exam 70-458 - MCSA: SQL Server 2012 - Study Resources | Tracy Boggiano's SQL Server Blog