Friday, December 19, 2008

Transparent Data Encryption (TDE) in SQL Server 2008

Transparent Data Encryption (TDE) is another new feature in SQL Server 2008.
It performs real-time I/O encryption and decryption of the data and log files, that is the entire database. For achieving that, it uses a database encryprion key stored in the database boot record.

A derived benefit of TDE is that whenever a database using TDE is backed up, the backup set is also encrypted.

All of the above provide significant data security in SQL Server 2008.

The procedure for encrypting a database is provided below by T-SQL Code example:

USE master
GO

--Step 1: Create a Master Key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'password_goes_here';
GO

--Step 2: Create or obtain a certificate protected by the master key
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'MyCertificate'
GO

--Step 3: Create a database encryption key and protect it by the certificate
USE [DATABASE_NAME]
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE MyServerCert
GO

--Step 4: Set the database to use encryption
ALTER DATABASE [DATABASE_NAME]
SET ENCRYPTION ON
GO

After the above are performed, the database will enter the "Encrypted" state.

Remarks:

1 (Important SQL Server 2008 notice regarding TDE). When enabling TDE, you should immediately back up the certificate and the private key associated with the certificate . This is absolutely necessary when trying to restore or attach the encrypted database on another server because you will need to use these keys and certificates. In the opposite case the database will not be accessible. Additionally the encrypting certificate should be retained even if TDE is no longer enabled on the database as it may need to be accessed for some operations.

2. Steps 3 and 4 can be performed from within SQL Server 2008 Management Studio by right-clicking on the database and selecting Tasks --> Manage Database Encryption.

3. Note that four encryption are currently provided:
AES_128
AES_192
AES_256
Triple_DES

4. The entire TDE on a database is completely transparent to the user as it is performed in the background and on the fly.

More information regarding Transparent Data Encryption in SQL Server 2008 can be found in the following link.
[Ads]
Check out my latest eBook on SQL Server:
Tuning SQL Server - Ebook

Easily secure your SQL Server instances! Try out DBA Security Advisor!
DBA Security Advisor for SQL Server by SQLArtBits
DBA Security Advisor was developed by SQLArtBits. The tool was being carefully developed for an entire year and it contains comprehensive security checks and recommendations based on proven SQL Server security best practices. Feel free to download and use the Community Edition which is free and if you find it useful, you can consider upgrading to the Enterprise Edition!

Artemakis Artemiou [MVP]

Author & Editor

Artemakis Artemiou is a Senior SQL Server Architect, Software Developer and Microsoft Data Platform MVP. He is also an author, regular blogger, president of Cyprus.NET User Group and CY Country leader of INETA-EU. He is also the creator of DBA Security Advisor and In-Memory OLTP Simulator. Artemakis is a frequent guest author of worldwide well-respected online journals where he writes articles focusing on many SQL Server topics.

Reference: The SQL Server and .NET Hub (http://www.sqlnethub.com)

0 comments: