DELL

SQL Server Transparent Data Encryption

SECURITY WARNING

The information contained herein is proprietary to Dell Inc. and must not be disclosed to non-Dell
personnel. The recipient of this document, by its retention and use, agrees to protect the
information contained herein.

DO NOT DISCLOSE ANY OF THIS INFORMATION WITHOUT OBTAINING PERMISSION

FROM THE MANAGEMENT RESPONSIBLE FOR THIS DOCUMENT.

Prepared By
Jorge Vergara & Chandra Uppuluri
Database Engineering & Security and Compliance Team
Table of Contents
Document Revision History......................................................................................................................... 2
1 High Level Overview............................................................................................................................ 3
1.1 Overview of TDE functionality...................................................................................................... 3
1.2 Components involved.................................................................................................................. 4
1.3 Reference.................................................................................................................................... 4
1.4 High level process flow................................................................................................................ 4
2 TDE Implementation............................................................................................................................ 5
2.1 Create the master key.................................................................................................................. 5
2.2 Backup the master key to a file.................................................................................................... 5
2.3 Create the certificate.................................................................................................................... 5
2.4 Backup the certificate................................................................................................................... 6
2.5 Create the database encryption key............................................................................................6
2.6 Set the database up for encryption.............................................................................................. 6
2.7 Checking the encryption status of a database.............................................................................7
3 Using EPV to store the keys and certificates.......................................................................................8
3.1 PAC Group................................................................................................................................... 8
3.2 Storing Objects in EPV................................................................................................................ 9
3.3 Searching for TDE files in EPV.................................................................................................. 11
4 Restoring a TDE enabled database in a different server...................................................................12
5 TDE with Mirror.................................................................................................................................. 13
5.1 On the DR server....................................................................................................................... 13
5.3 On the PRIMARY server:........................................................................................................... 14
6 TDE with replication........................................................................................................................... 15
7 TDE with Linked Servers................................................................................................................... 16
8 TDE enabled databases backup/restore with Legato........................................................................17
9 Backup/Restore after disabling TDE.................................................................................................. 18
Document Revision History
The revision history shows the history for this Business Requirements Document and provides
descriptions of particular changes made.

Date Version Update Description Contact Name

7/23 0.1 Initial creation Jorge Vergara
1 High Level Overview
1.1 Overview of TDE functionality
TDE fulfills the requirement of “Encryption at rest”. In other words, it prevents unauthorized
movement of the database or its data files from the server where it was created. Below is a technical
description of how TDE works, it was taken from the Microsoft documentation referenced above:
“Transparent data encryption (TDE) performs real-time I/O encryption and decryption of the data and
log files. The encryption uses a database encryption key (DEK), which is stored in the database boot
record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored
in the master database of the server or an asymmetric key protected by an EKM module. TDE protects
data "at rest", meaning the data and log files. It provides the ability to comply with many laws, regulations,
and guidelines established in various industries. This enables software developers to encrypt data by
using AES and 3DES encryption algorithms without changing existing applications.”
One important note: TDE does not provide encryption across communication channels, also known
as “Encryption on Transport”.
The image below shows the architecture of TDE encryption:
1.2 Components involved
 SQL Server 2012 with TDE
 Cyber-Ark Enterprise Password Vault

1.3 Reference
Microsoft MSDN Library at:
http://msdn.microsoft.com/en-us/library/bb934049.aspx

1.4 High level process flow

2 TDE Implementation
Follow the steps below to enable TDE for a database in a particular server:

2.1 Create the master key

The master key for the server is created on the master database. This key will be used by SQL
Server to create the certificates.
Use the commands below to create the master key:
Use master
go

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<strong password>'

go

The password must meet the Windows password policy requirements of the computer that is
running the instance of SQL Server. This password also will need to be stored in a safe location.

2.2 Backup the master key to a file.

The master key should be backed up to a file. Use the command below to back up the master to a
file:
Use master
Go

BACKUP MASTER KEY TO FILE = '<path>\<file name>'

ENCRYPTION BY PASSWORD = '<strong password>' --different from the password
used to create the key
go

2.3 Create the certificate

The certificate is also created on the master database. The certificate name should follow the
following standard: <server name>_TDE_Cert
E.g. AUSSQL2K12POC1_TDE_Cert
Use the commands below to create the certificate.
Use master
go

CREATE CERTIFICATE <certificate name> WITH SUBJECT = '<subject>'

go

The certificate is used to create the DEK (Database Encryption Key). If the certificate cannot be
accessed the DEK cannot be validated and the database cannot be used. Therefore the certificate must
be kept in a safe location. It the next chapter we will discuss the process to store the certificate inside
Enterprise Password Vault.
2.4 Backup the certificate.
Backing up the certificate is one of the most important parts of this process. The certificate is used
to create and validate the DEK and it must be available (on the master database) whenever SQL server
tries to open a TDE enabled database. The backup will also generate a private key backup which must be
kept along with the backup of the certificate.
Both the certificate and the private key backups must be kept on a secure location. If the TDE
enabled database ever needs to be moved to another server the original certificate will need to be
recreated on the new server from this backup file.
You should use the standard below for the backup file names of the certificate and the private key:
 Certificate backup : use the certificate name in the form of <server name>_TDE_Cert.
 Private Key: <server name>_TDE_Cert_Priv_Key

Use the command below to create a backup of the certificate (along with its private key).

BACKUP CERTIFICATE <certificate name> TO FILE = '<path>\<file name>'

WITH PRIVATE KEY(
FILE = '<path>\<file name>_Cert'
, ENCRYPTION BY PASSWORD = '<strong password>'
)
go

2.5 Create the database encryption key

The DEK should be created inside the database you want to enable TDE on. Use the commands
below create the DEK:

use <database name>

go

CREATE DATABASE ENCRYPTION KEY

WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE <certificate name>
go

2.6 Set the database up for encryption

The last step on the process is to set the database for encryption. That is done using the command
below:

ALTER DATABASE <database name>

SET ENCRYPTION ON;
GO
2.7 Checking the encryption status of a database
The following table shows TDE catalog views and dynamic management views.

Catalog or dynamic management Purpose

view
sys.symmetric_keys (Transact-SQL)
sys.databases (Transact-SQL)
sys.certificates (Transact-SQL)
sys.dm_database_encryption_keys
(Transact-SQL)
Returns one row for every symmetric key created
with the CREATE SYMMETRIC KEY statement
Catalog view that displays database information.
Catalog view that shows the certificates in a
database.
Dynamic management view that provides
information about the encryption keys used in a
database, and the state of encryption of a
database.
3 Using EPV to store the keys and certificates
3.1 PAC Group
A new active directory group has been created to allow SQL DBAs access to the EPV safe used
to store the TDE files. The group is called: Americas\GDMS_SQL_TDE_ADMINS. SQL DBAs should fill
out a PAC WOW form following the example below in order to be included in this group.

Fill out the form as per the example, enter your justification and submit the form.
3.2 Storing Objects in EPV
The following objects will need to be stored in EPV for EACH SERVER that has a TDE encrypted
database:
o The Password used to create the Master Key (necessary to set up mirroring)
o Master Key of the server
o Master Key backup Password
o Certificate
o Certificate Private Key
o Certificate Private Key backup Password

To store the objects in EPV use the naming convention below:

Object Standard Object Name Standard Backup File Name
Master Key
- <SERVER_NAME>_Master_Key_Pwd.txt
Password
Master Key - <SERVER_NAME>_TDE_Master_Key
Master Key
backup - <SERVER_NAME>_TDE_Master_Key_Bkp_Pwd.txt
Password

<SERVER
Certificate <SERVER_NAME>_TDE_Cert_Bkp
NAME>_TDE_Cert
Certificate
- <SERVER_NAME>_TDE_Cert_Priv_Key_Bkp
Private Key
Certificate
Private Key
- <SERVER_NAME>_TDE_Cert_Priv_Key_Bkp_Pwd.txt
backup
Password

Copy the files mentioned above from the database server to your machine and make sure they
follow the naming convention guidelines. To upload the files to EPV follow the steps below:

1. Access EPV at the following UTL: https://pvwa.us.dell.com/passwordvault

2. Select the Files tab.
 3. Select the Add File button at the right of the screen.

4. The following screen will be displayed:

Select the Safe: SQL Server TDE

Provide a description for the file. E.g.

“Master key Password for <server_name>”

“Certificate for <server_name>”

Etc…

Add the keywords: <server_name> SQL TDE – This will help when searching for this later in EPV.

Use the browse button to locate the file.

Select SAVE.

Repeat this process for each file you need to store in EPV.
3.3 Searching for TDE files in EPV
Follow the steps below to search for TDE files in EPV

1. Access EPV at the following UTL: https://pvwa.us.dell.com/passwordvault

2. Select the Files tab.
3. Enter the value TDE in the search box and select Go. All the TDE files will be displayed.
4 Restoring a TDE enabled database in a different server
In order for the backup of a TDE enabled database to be restored on a different server the
Certificate used to encrypt the database on the original server must be created on the new server from a
backup. For the certificate to be created a Master Key must exist on the server. It does not have to be the
same Master Key used on the original server.
Follow the steps below to be prior to attempting to restore the database backup:
use master
go

--Create a Master Key on the new server

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<strong password>'
go

--Restore the certificate from the primary server on the new server
CREATE CERTIFICATE <certificate name>
FROM FILE = '<certificate backup path>'
WITH PRIVATE KEY
(FILE = '<certificate private key backup path>'
, DECRYPTION BY PASSWORD = '<strong password>');

The “DECRYPTION BY PASSWORD” must match the password that was used to back up the
certificate on the original server. This password should be in EPV along with the certificate in a file called
<server name>_TDE_Cert_Priv_Key_Bkp_Pwd.txt
From this moment on the backup from the original database can be restored normally to the new
server.
5 TDE with Mirror
The steps to set up mirroring for a TDE enabled database are very similar to restoring the TDE
enabled database in a different database.

5.1 On the DR server

The following steps need to be implemented on the DR server in order for a mirror to be
implemented.
Create the master Key using the command below:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<strong password>'
go
Use the same password as in the primary server. This password should be in EPV in a file called
<SERVER_NAME>_Master_Key_Pwd.txt.

Use the command below to add encryption by SERVICE MASTER KEY to the master key.
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
go

Restore the certificate from the primary server to the DR server using the command below.
--Restore the certificate from the primary server on the new server
CREATE CERTIFICATE <certificate name>
FROM FILE = '<certificate backup path>'
WITH PRIVATE KEY (FILE = '<certificate private key backup path>'
, DECRYPTION BY PASSWORD = '<strong password>');

Restore the database to the DR server normally. The commands below are examples.
restore database <database name>
from disk = '<backup file>'
with norecovery

restore log <database name

from disk = '<backup file>'
with norecovery

Set the database on the DR side for mirroring:

alter database <database name>
set partner = 'TCP://<fully qualified PRIMARY server name>:5022'

5.2
5.3 On the PRIMARY server:
The following steps need to be implemented on the Primary server in order for a mirror to be
implemented.

Open the master key using the command below:

OPEN MASTER KEY DECRYPTION BY PASSWORD = '<strong password>' –
Password to be used to create the master key on the primary server

Se the primary database for mirroring

alter database <database name>
set partner = 'TCP://<fully qualified DR server name>:5022'
6 TDE with replication
On the Publisher
Follow the steps on section 2 (TDE Implementation) to implement TDE on the publisher
database.

NOTE: The subscriber databases will not have TDE implemented by default. It is, however, highly
recommended that you implement TDE separately in each subscriber database individually. Follow the
steps on section 2 for each such database.
7 TDE with Linked Servers
THERE ARE NO STEPS NECESSARY TO CREATE LINKED SERVERS TO TDE ENABLED
DATABASES.
8 TDE enabled databases backup/restore with Legato
There are no additional steps to enable TDE encrypted databases for backup by the Legato tool. In
Order to restore a TDE enabled database to a server different from its original one follow the steps on
section 4 of this document (“Restoring a TDE enabled database in a different server”).
9 Backup/Restore after disabling TDE
To allow a TDE encrypted database to be restored to a server that does not have the correct
master key and certificate two steps need to be taken before backing up the database on the original
server.
1. Disable encryption on the database using the command below:

ALTER DATABASE <database name> SET ENCRYPTION OFF;

GO
2. Drop the database encryption key using the following command:

use <database name>

go
DROP DATABASE ENCRYPTION KEY;
Go

After these two steps have been taken the database can be backed up and restored on a server
that does not have the correct master key and certificate.