Securing Database Contents with Transparent Data Encryption (TDE) Introduction Microsoft SQL Server has many security features available within the database, but until release of SQL Server 2008 there has been no “out-of-the-box” method for protecting the data at the operating system level. The Transparent Data Encryption (TDE) feature introduced in SQL Server 2008 allows sensitive data to be encrypted within the data files to prevent access to it from the operating system. It solves the problems of security of data means encrypting databases on hard disk and on any backup media and is the best possible choice for bulk encry ption to meet the regulatory compliance or corporate data security standards. This feature encrypts both data and logs as the records are written to SQL database files (*.mdf) in real-time, including backups, snapshots and transaction logs. TDE encry pts data before it’s written to disk and decrypts data before it is returned to the application. The encryption and decryption process is performed at the SQL layer, completely transparent to applications and users. TDE encryption uses a Database Encryption Key (DEK) (that is an asymmetric key secured by using a certificate stored in the master database), which is stored in the database boot record for availability during recovery. In this post, I’ll show you how to encrypt database using Transparent Data Encryption (TDE) and then I will discuss the limitations of TDE. Architecture of Transparent Data Encryption The following illustration shows the architecture of TDE encryption:
11
Embed
Securing Database Contents With Transparent Data Encryption
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
7/27/2019 Securing Database Contents With Transparent Data Encryption
Microsoft SQL Server has many security features available within the database, but
until release of SQL Server 2008 there has been no “out-of-the-box” method for
protecting the data at the operating system level. The Transparent Data Encryption
(TDE) feature introduced in SQL Server 2008 allows sensitive data to be encrypted
within the data files to prevent access to it from the operating system. It solves the
problems of security of data means encrypting databases on hard disk and on any
backup media and is the best possible choice for bulk encryption to meet the regulatory
compliance or corporate data security standards. This feature encrypts both data and
logs as the records are written to SQL database files (*.mdf) in real-time, including
backups, snapshots and transaction logs. TDE encrypts data before it’s written to disk and decrypts data before it is returned to the application. The encryption and decryption
process is performed at the SQL layer, completely transparent to applications and users.
TDE encryption uses a Database Encryption Key (DEK) (that is an asymmetric key
secured by using a certificate stored in the master database), which is stored in the
database boot record for availability during recovery.
In this post, I’ll show you how to encrypt database using Transparent Data Encryption
(TDE) and then I will discuss the limitations of TDE.
Architecture of Transparent Data Encryption
The following illustration shows the architecture of TDE encryption:
7/27/2019 Securing Database Contents With Transparent Data Encryption
Execute the following script to backup the database master key of master database:
USE [master]GO
-- Master key password must be specified when it is opened.OPEN MASTER KEY DECRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1'BACKUP MASTER KEY TO FILE = 'D:\TDE_Demo\ExportedMasterKey.key'ENCRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1'GO
Once successfully executed, verify that the master key and security certificate backup
files are created in the location specified in script for example for in this demo its
D:\TDE_Demo\ (see below):
Note: Save your master key and security certificate backup files in a secure location as
you’ll need them when restoring the database on a different SQL Server otherwise the
The final step in the setup process of TDE is to enable it. This is accomplished by
executing the ALTER DATABASE command with the SET ENCRYPTION ON
argument.
Execute the following script to enable TDE on AdventureWorks2012 database:
USE [master]GO
ALTER DATABASE [AdventureWorks2012]SET ENCRYPTION ONGO
To verify that database is encrypted using TDE, right-click the database and chooseoption and you will see encryption option is now ON as shown in figure below:
7/27/2019 Securing Database Contents With Transparent Data Encryption
Now test the restore the database of AdventureWorks2012 database as follow:
As you can see from above that database restore is successful on same instance.
Now try restoring this database on different SQL Server using script below:
USE [master]GO
RESTORE DATABASE [AdventureWorks2012]FROM DISK = N'D:\Backups\AdventureWorks2012.bak' WITH FILE =1,MOVE N'MyFileStream' TO N'D:\Databases\MyFileStream',MOVE N'AdventureWorks2012_Data' TO
As you can see, the restore process will fail with the error below:
This is because the database is encrypted with TDE.
To restore the TDE encrypted database on different SQL Server instance, you first needto restore the database master key and then the self-signed certificate that is used to
encrypt the database encryption key.
Execute the following script to restore the database master key from master key backup:
CREATE CERTIFICATE CertificateforTDEFROM FILE = 'D:\TDE_Demo_Backup\CertificateforTDE.cer' WITH PRIVATE KEY (FILE ='D:\TDE_Demo_Backup\CertificateforTDE.key',DECRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1');
GO
We are now ready to restore the database on second SQL Server.
Note: You must OPEN MASTER KEY first and then perform restore otherwise restore
will fail.
Execute the script below which we executed earlier to restore the AdventureWorks2012
database:
USE [master]GO
OPEN MASTER KEY DECRYPTION BY PASSWORD = '$tr0ngPa$$w0rd2'
RESTORE DATABASE [AdventureWorks2012]FROM DISK = N'D:\Backups\AdventureWorks2012.bak' WITH FILE =1,MOVE N'MyFileStream' TO N'D:\Databases\MyFileStream',MOVE N'AdventureWorks2012_Data' TO
• TDE does not provide encryption across communication channels.
• When enabling TDE, you should immediately back up the certificate and the
private key associated with the certificate. If the certificate ever becomesunavailable or if you must restore or attach the database on another server, you
must have backups of both the certificate and the private key or you will not be
able to open the database.
• The encrypting certificate or Asymmetric should be retained even if TDE is no
longer enabled on the database. Even though the database is not encrypted, the
database encryption key may be retained in the database and may need to be
accessed for some operations.
• Altering the certificates to be password-protected after they are used by TDE
will cause the database to become inaccessible after a restart.