Transparent Data Encryption (TDE) in SQL Server 2008

Transparent Data Encryption (TDE) in SQL Server 2008

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Share on Reddit0
Transparent Data Encryption (TDE) is another new feature in SQL Server 2008.
It performs real-time I/O encryption and decryption of the data and log files, that is the entire database. For achieving that, it uses a database encryprion key stored in the database boot record.

A derived benefit of TDE is that whenever a database using TDE is backed up, the backup set is also encrypted.

All of the above provide significant data security in SQL Server 2008.

The procedure for encrypting a database is provided below by T-SQL Code example:

USE master
GO

–Step 1: Create a Master Key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘password_goes_here’;
GO

–Step 2: Create or obtain a certificate protected by the master key
CREATE CERTIFICATE MyServerCert WITH SUBJECT = ‘MyCertificate’
GO

–Step 3: Create a database encryption key and protect it by the certificate
USE [DATABASE_NAME]
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE MyServerCert
GO

–Step 4: Set the database to use encryption
ALTER DATABASE [DATABASE_NAME]
SET ENCRYPTION ON
GO

After the above are performed, the database will enter the “Encrypted” state.

Remarks:

1 (Important SQL Server 2008 notice regarding TDE). When enabling TDE, you should immediately back up the certificate and the private key associated with the certificate . This is absolutely necessary when trying to restore or attach the encrypted database on another server because you will need to use these keys and certificates. In the opposite case the database will not be accessible. Additionally the encrypting certificate should be retained even if TDE is no longer enabled on the database as it may need to be accessed for some operations.

2. Steps 3 and 4 can be performed from within SQL Server 2008 Management Studio by right-clicking on the database and selecting Tasks –> Manage Database Encryption.

3. Note that four encryption are currently provided:
AES_128
AES_192
AES_256
Triple_DES

4. The entire TDE on a database is completely transparent to the user as it is performed in the background and on the fly.

More information regarding Transparent Data Encryption in SQL Server 2008 can be found in the following link.


Recommended eBooks on SQL Server:

Tuning SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Tuning SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Administering SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Administering SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Artemakis Artemiou
Artemakis Artemiou is a Senior SQL Server Architect, Author, Software Developer and a Microsoft Data Platform MVP. He has over 15 years of experience in the IT industry in various roles. Among other, via his initiative SQLEBooks.com, Artemakis authors and publishes eBooks on different topics on SQL Server. Artemakis currently serves as the President of the Cyprus .NET User Group (CDNUG) and the International .NET Association Country Leader for Cyprus (INETA). Additionally he is the founder of the SQLArtBits initiative that aims to provide the technical community with simple, yet powerful and high-quality SQL Server tools. Currently, the highlights of these tools are DBA Security Advisor and In-Memory OLTP Simulator. Artemakis's official website can be found at aartemiou.com. Artemakis's blogs can be found at: SQLNetHub.com and TechHowTos.com.