Using Transparent Data Encryption Feature of SQL Server 2008
March 01, 2010
Transparent Data Encryption is a new feature in SQL Server 2008. The TDE feature provides real time encryption of both data and log files. Encryption basically working in the following way; initially the data is encrypted before it's being written to the disk and it is decrypted before it is being read from the disk. When you are using the Transparent Data Encryption feature of SQL Server 2008 the encryption is performed by the SQL Server 2008 Database Engine and the SQL Server clients will not be aware of this change. However, before implementing this feature in Production environment I would request you to validate the solution completely in the Test Environment.
To enable Transparent Data Encryption Feature of SQL Server 2008 on a database, the DBA needs to perform the below mentioned four steps as described in Books Online:-
1. Create a master key
2. Create or obtain a certificate protected by the master key
3. Create a database encryption key and protect it by the certificate
4. Set the database to use encryption
Create a Master Key
The initial step will be to identify if there is any Master Key already created in the Instance of SQL Server 2008 where you want to implement this feature. You can verify the same by executing the below mentioned TSQL code.
USE master GO SELECT * FROM sys.symmetric_keys WHERE name LIKE '%MS_DatabaseMasterKey%' GO
If there are no records found, then it means there was no predefined Master Key on the SQL Server 2008 Instance. To create a Master Key, you can execute the below mentioned TSQL code.
USE master GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'pass@word1' GO
Create or obtain a certificate protected by the Master Key
Once Master Key is created then the next step will be to Create or obtain a certificate protected by the master key. This can be achieved by executing the below mentioned TSQL code.
Use master GO CREATE CERTIFICATE TDECertificate WITH SUBJECT = 'SQL Server TDE Certificate' GO /* Verify Certificate */ SELECT * FROM sys.certificates where [name] = 'TDECertificate' GO
Create a database encryption key and protect it by the certificate
Next step will be to create a new database. Once the database is created you can create a database encryption key and protect it by the certificate by executing the below mentioned TSQL code.
Use master GO CREATE DATABASE TryEncryption GO Use TryEncryption GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE TDECertificate GO
Once the Database Encryption Key is created successfully you need to take a backup of the Certificate and the Private Key by executing the below mentioned TSQL code.
BACKUP CERTIFICATE TDECertificate TO FILE = 'D:\TDE\TDECertificate.cert' WITH PRIVATE KEY ( FILE = 'D:\TDE\EncryptPrivateKey.key', ENCRYPTION BY PASSWORD = 'Certific@tePass@word') GO
Set the database to use encryption
The final step will be to enable encryption on the user database by executing the below mentioned TSQL code.
ALTER DATABASE TryEncryption SET ENCRYPTION ON GO
Verify Database Encryption Status
You can verify the database encryption status by executing the below mentioned TSQL code.
SELECT DB_NAME(database_id) AS DatabaseName ,Encryption_State AS EncryptionState ,key_algorithm AS Algorithm ,key_length AS KeyLength FROM sys.dm_database_encryption_keys GO SELECT NAME AS DatabaseName ,IS_ENCRYPTED AS IsEncrypted FROM sys.databases where name ='TryEncryption' GO
Advantages of Transparent Data Encryption
1. Physical Security of Database Files
2. When Transparent Database Encryption feature is used all the backups of the TDE enabled database are encrypted
Disadvantages of Transparent Data Encryption
1. As Encryption is CPU intensive and it is performed at I/O level, any server with higher I/O and higher CPU load should avoid using this feature
2. This feature is only available in Enterprise and Developer Editions of SQL Server 2008
3. TDE encrypted database cannot be attached or restored in other edition of SQL Server 2008
4. If the certificate is lost then the data will be unreadable. Hence you need to protect the certificate and master key along with the database backup files
5. If you are using FILESTREAM feature, then be informed that only FILESTREAM enabled database is encrypted and not the actual files which are residing on the servers file system will be encrypted
6. There won't be much of a benefit if you planning to use Database Backup Compression feature of SQL Server 2008
7. As TempDB database is automatically encrypted once you have enabled encryption on any of the user databases. This resulted in slow query performance for non encrypted databases which may use TempDB
For more information you can check the following link
Continue Free Learning...
Geeks who read this article also read…
- How to Identify Currently Used SQL Server Authentication Mode
- How to identify if the database was upgraded from a previous version of SQL Server
- How to Get Exclusive Access to SQL Server Database
- Understanding SQL Server Recovery Models
- Changing Default SQL Server Backup Folder in SQL Server 2008
- Changing the default location of SQL Server Data and Log files
- Enforce Password Policies and Password Expiration for SQL Server Logins
- How to Backup an Analysis Services Database Using SQL Server Management Studio
- How to Delete Duplicate Records from an SQL Server Table
- Auditing SQL Server Logins
- New Date and Time Data Types in SQL Server 2008
- Date and Time Functions in SQL Server 2008
- How to Remotely Shutdown, Restart or Log Off Windows Server across the network
- Configuring Database Instant File Initialization Feature of SQL Server
- Microsoft SQL Server Build Versions
- Database Backup Compression Feature In SQL Server 2008
- Read More SQL Server Articles…