Lesson 15: Configuring Transparent Data Encryption and AlwaysOn 1

Lesson 15: Configuring Transparent

Data Encryption and AlwaysOn

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
2 Lesson 15: Configuring Transparent Data Encryption and AlwaysOn

Conditions and Terms of Use

Microsoft Confidential - For Internal Use Only

This training package is proprietary and confidential, and is intended only for uses described in the training
materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be
distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is
strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without
warranty of any kind, whether express or implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without
notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication. Unless otherwise noted, the companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred.

© 2012 Microsoft Corporation. All rights reserved.

Copyright and Trademarks

© 2012 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 Lesson 15: Configuring Transparent Data Encryption and AlwaysOn 3

Configuring Transparent Data Encryption and

AlwaysOn
Introduction
In this lab you will setup TDE on a copy of AdventureWorks2012 and manually setup an
AlwaysOn Availability group and adding members for the same using T-SQL commands.

Objectives
After completing this lab, you will be able to:
 Create Keys and Certificates.
 Enabling Transparent Data Encryption.
 Setting up AlwaysOn using T-SQL Commands.

Prerequisites
Virtual environments SQLAdmin11CluN1 and SQLAdmin11CluN2 are available and an
unencrypted backup of Adventureworks2012 is available at the location
\\SQLADMIN11DC\SQLBackups\

Estimated time to complete this lab

40 minutes

Virtual Machines Needed for this Lab:

 SQL11AdminWork
 SQLAdmin11CluN1
 SQLAdmin11CluN2

Scenario
 If a database is encrypted or even contains a Database Encryption Key (DEK),
you cannot use the New Availability Group Wizard or Add Database to
Availability Group Wizard to add the database to an availability group. Even if
an encrypted database has been decrypted, its log backups might contain
encrypted data. In this case, full initial data synchronization could fail on the
database. This is because the restore log operation might require the certificate
that was used by the database encryption keys (DEKs), and that certificate might
be unavailable.
 If an AlwaysOn Availability Group already exists, adding a new Replica can
only be achieved by manually adding the new member and initializing the
database.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
4 Lesson 15: Configuring Transparent Data Encryption and AlwaysOn

Exercise 1: Configuring Transparent Data Encryption

Note: Scripts for this exercise can be found at: L:\Features\Labs\ Lesson 15 -
AlwaysOn\TSQLScriptsForExcercise1.sql on SQL11AdminWork.

Objectives
In this exercise, you will:
 Learn to create Master/Database Keys and Certificates.
 Learn to use the Certificates created to enable TDE using encryption algorithms.
 Learn to create a backup of a certificate.

Scenario
You have a database that houses sensitive data, like Social Security Numbers, Date of
Birth, or addresses.

Create the keys and certificates and enable TDE

1. Log into SQL11AdminWork.
2. Open SQL Server Management Studio.
3. Connect to SQLAdmin11CluN2 in Object Explorer.
4. Click New Query.
5. Now we are going to restore an unencrypted copy of AdventureWorks2012 on
SQLADMIN11CLUN2. Note that the database is being restored as
Adventureworks2012_ENC and the data and log file are being restored with the
MOVE option.
6. Type the following command in the query window and execute it you can also find
the code script for this here:
USE [master]
GO

RESTORE DATABASE [Adventureworks2012_ENC] FROM DISK =

N'\\SQLADMIN11DC\SQLBackups\Adventureworks2012.bak'
WITH FILE = 1, MOVE N'AdventureWorks2008R2_Data'
TO N'C:\Program Files\Microsoft SQL
Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\AdventureWorksDenali_ENC_Data.mdf',
MOVE N'AdventureWorks2008R2_Log' TO N'C:\Program Files\Microsoft SQL
Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\Adventureworks2012_ENC_log.ldf',
NOUNLOAD, STATS = 5

GO

7. Now type this in a new query window and execute it. This will create the Master
Encryption Key and Certificate in the master database.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 Lesson 15: Configuring Transparent Data Encryption and AlwaysOn 5

USE master
GO

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '3ncrypt10n!'

GO

CREATE CERTIFICATE AdventurousCert

WITH SUBJECT = 'DEK Certificate to encrypt Adventure Works 2012'
GO

8. Type this in a new query window and execute this to create the Database Encryption
Key in Adventureworks2010_ENC with the AES_256 algorithm.
USE [Adventureworks2012_ENC]
GO

CREATE DATABASE ENCRYPTION KEY

WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE AdventurousCert
GO

ALTER DATABASE [Adventureworks2012_ENC]

SET ENCRYPTION ON
GO

9. Type this query and execute this to create a backup of the Certificate
[AdventurousCert] we created to a file with a private key.
USE master
GO

BACKUP CERTIFICATE AdventurousCert

TO FILE = '\\SQLADMIN11DC\SQLBackups\Adventureworks2012_ENC.cer'
WITH PRIVATE KEY (FILE = '\\SQLADMIN11DC\SQLBackups\Adventureworks2012_ENC.pvk' ,
ENCRYPTION BY PASSWORD = '3ncrypt10n!' )
GO

10. Type this into a New Query window and execute to create a backup of the encrypted
database.
USE master
GO

BACKUP DATABASE [Adventureworks2012_ENC]

TO DISK = N'\\SQLADMIN11DC\SQLBackups\Adventureworks2012_ENC.bak'
WITH NOFORMAT, NOINIT, NAME = N'Adventureworks2012_ENC-Full Database Backup',
SKIP, NOREWIND, NOUNLOAD, COMPRESSION, STATS = 10
GO

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
6 Lesson 15: Configuring Transparent Data Encryption and AlwaysOn

Exercise 2: Setting up AlwaysOn for a TDE enabled

database.
Note: Scripts for this exercise can be found at: L:\Features\Labs\ Lesson 15 -
AlwaysOn\TSQLScriptsForExcercise2.sql on SQL11AdminWork.

Objectives
In this exercise, you will:
 Create the Availability Groups and add Replicas.
 Prepare the Replica to be used in the Availability Group.
 Finalize the Replica and join the Availability Group.

Scenario
You have a database that is encrypted or contains a DMK, or you have an existing
AlwaysOn Availability group you want to enroll a new Replica in.

Prerequisites
Completed Exercise 1.

Create the Availability Group, Add members and transaction log backup.
Run the below steps on SQLAdmin11CluN2 to create the AlwaysOn Availability Group
AdventuresEncryptedClu on SQLAdmin11CluN2 and add SQLAdmin11CluN1 as a
Replica.

Note: The code for the below script can be found here:
L:\Features\Labs\ Lesson 15 - AlwaysOn \2preparePrimary_sqladmin11clun2.sql

1. Connect to SQLAdmin11CluN2 in a new Query Window in SQL Server

Management Studio.
USE [master]
GO

CREATE AVAILABILITY GROUP [AdventuresEncryptedClu]

WITH (AUTOMATED_BACKUP_PREFERENCE = PRIMARY)
FOR DATABASE [Adventureworks2012_ENC]
REPLICA ON N'SQLADMIN11CLUN2' WITH (ENDPOINT_URL =
N'TCP://SQLADMIN11CLUN2.SQLAdmin11.lcl:5022',
FAILOVER_MODE = AUTOMATIC, AVAILABILITY_MODE = SYNCHRONOUS_COMMIT, SESSION_TIMEOUT
= 10, BACKUP_PRIORITY = 50,
PRIMARY_ROLE(ALLOW_CONNECTIONS = ALL), SECONDARY_ROLE(ALLOW_CONNECTIONS = NO));
GO

USE [master]
GO

ALTER AVAILABILITY GROUP [AdventuresEncryptedClu]

ADD REPLICA ON N'SQLADMIN11CLUN1'
WITH (ENDPOINT_URL = N'TCP://SQLADMIN11CLUN1.SQLAdmin11.lcl:5022',

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 Lesson 15: Configuring Transparent Data Encryption and AlwaysOn 7

FAILOVER_MODE = AUTOMATIC, AVAILABILITY_MODE = SYNCHRONOUS_COMMIT, SESSION_TIMEOUT

= 10,
PRIMARY_ROLE(ALLOW_CONNECTIONS = ALL), SECONDARY_ROLE(ALLOW_CONNECTIONS = NO));
GO

2. Run this command in a new query window to create a Transaction Log Backup on
SQLAdmin11CluN2 to be used to finalize the enrollment of the Replica on
SQLAdmin11CluN1.
BACKUP LOG [Adventureworks2012_ENC]
TO DISK = N'\\SQLADMIN11DC\SQLBackups\Adventureworks2012_ENC.trn'
WITH NOFORMAT, NOINIT, NAME = N'Adventureworks2012_ENC-Transaction Log Backup',
SKIP, NOREWIND, NOUNLOAD, STATS = 10
GO

Prepare and enroll the Replica in the Availability Group.

3. In Object Explorer click Connect | Database Engine

4. Type in SQLAdmin11CluN1 as the server name and click connect
5. Highlight SQLAdmin11CluN1 in object explorer and right click on it and choose
New Query
6. Type this query in the window to create the Master Encryption Key and Certificate in
the master database.
USE master
GO

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '3ncrypt10n!'

GO

7. Now type this and execute this to restore the Certificate from the Backup we created
in Exercise 1 on SQLAdmin11CluN1.
CREATE CERTIFICATE AdventurousCert
FROM FILE = '\\SQLADMIN11DC\SQLBackups\Adventureworks2012_ENC.cer'
WITH PRIVATE KEY (FILE = '\\SQLADMIN11DC\SQLBackups\Adventureworks2012_ENC.pvk',
DECRYPTION BY PASSWORD = '3ncrypt10n!');
GO

8. Type this command and execute it to restore the Full Database backup we created in
Exercise 1 on SQLAdmin11CluN1. Ensure that the option NORECOVERY is
being used.
USE [master]
RESTORE DATABASE [Adventureworks2012_ENC]
FROM DISK = N'\\SQLADMIN11DC\SQLBackups\Adventureworks2012_ENC.bak'
WITH FILE = 1, NORECOVERY, NOUNLOAD, STATS = 5

GO

9. Type this and execute it on SQLAdmin11CluN1 to alter and Join the Availability
Group AdventuresEncryptedClu.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
8 Lesson 15: Configuring Transparent Data Encryption and AlwaysOn

ALTER AVAILABILITY GROUP [AdventuresEncryptedClu] JOIN;

GO

10. Type and execute this command to restore the Transaction Log backup from
SQLAdmin11CluN2 on SQLAdmin11CluN1. Ensure that the option
NORECOVERY is being used.
RESTORE LOG [Adventureworks2012_ENC]
FROM DISK = N'\\SQLADMIN11DC\SQLBackups\Adventureworks2012_ENC.trn'
WITH FILE = 1, NORECOVERY, NOUNLOAD, STATS = 10
GO

11. Type and execute this command to enable AlwaysOn for the database
Adventureworks2012_ENC on SQLAdmin11CluN1 in AdventuresEncryptedClu
Availability Group.
ALTER DATABASE [Adventureworks2012_ENC] SET HADR AVAILABILITY GROUP =
[AdventuresEncryptedClu];
GO

12. In Object Explorer on SQLAdmin11CluN2, Expand the AlwaysOn High

Availability group and examine the Availability Replicas and Availability Databases
groups. Answer the questions below.
a. Which SQL Server Replicas are the Primary and Secondary?
b. What Availability Databases are included in the AdventuresEncryptedClu
Availability Group?

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential