GDMS_SQL_Server_2012_Transparent_Data_Encryption
GDMS_SQL_Server_2012_Transparent_Data_Encryption
SECURITY WARNING
The information contained herein is proprietary to Dell Inc. and must not be disclosed to non-Dell
personnel. The recipient of this document, by its retention and use, agrees to protect the
information contained herein.
Prepared By
Jorge Vergara & Chandra Uppuluri
Database Engineering & Security and Compliance Team
Table of Contents
Document Revision History......................................................................................................................... 2
1 High Level Overview............................................................................................................................ 3
1.1 Overview of TDE functionality...................................................................................................... 3
1.2 Components involved.................................................................................................................. 4
1.3 Reference.................................................................................................................................... 4
1.4 High level process flow................................................................................................................ 4
2 TDE Implementation............................................................................................................................ 5
2.1 Create the master key.................................................................................................................. 5
2.2 Backup the master key to a file.................................................................................................... 5
2.3 Create the certificate.................................................................................................................... 5
2.4 Backup the certificate................................................................................................................... 6
2.5 Create the database encryption key............................................................................................6
2.6 Set the database up for encryption.............................................................................................. 6
2.7 Checking the encryption status of a database.............................................................................7
3 Using EPV to store the keys and certificates.......................................................................................8
3.1 PAC Group................................................................................................................................... 8
3.2 Storing Objects in EPV................................................................................................................ 9
3.3 Searching for TDE files in EPV.................................................................................................. 11
4 Restoring a TDE enabled database in a different server...................................................................12
5 TDE with Mirror.................................................................................................................................. 13
5.1 On the DR server....................................................................................................................... 13
5.3 On the PRIMARY server:........................................................................................................... 14
6 TDE with replication........................................................................................................................... 15
7 TDE with Linked Servers................................................................................................................... 16
8 TDE enabled databases backup/restore with Legato........................................................................17
9 Backup/Restore after disabling TDE.................................................................................................. 18
Document Revision History
The revision history shows the history for this Business Requirements Document and provides
descriptions of particular changes made.
1.3 Reference
Microsoft MSDN Library at:
http://msdn.microsoft.com/en-us/library/bb934049.aspx
The password must meet the Windows password policy requirements of the computer that is
running the instance of SQL Server. This password also will need to be stored in a safe location.
The certificate is used to create the DEK (Database Encryption Key). If the certificate cannot be
accessed the DEK cannot be validated and the database cannot be used. Therefore the certificate must
be kept in a safe location. It the next chapter we will discuss the process to store the certificate inside
Enterprise Password Vault.
2.4 Backup the certificate.
Backing up the certificate is one of the most important parts of this process. The certificate is used
to create and validate the DEK and it must be available (on the master database) whenever SQL server
tries to open a TDE enabled database. The backup will also generate a private key backup which must be
kept along with the backup of the certificate.
Both the certificate and the private key backups must be kept on a secure location. If the TDE
enabled database ever needs to be moved to another server the original certificate will need to be
recreated on the new server from this backup file.
You should use the standard below for the backup file names of the certificate and the private key:
Certificate backup : use the certificate name in the form of <server name>_TDE_Cert.
Private Key: <server name>_TDE_Cert_Priv_Key
Use the command below to create a backup of the certificate (along with its private key).
Fill out the form as per the example, enter your justification and submit the form.
3.2 Storing Objects in EPV
The following objects will need to be stored in EPV for EACH SERVER that has a TDE encrypted
database:
o The Password used to create the Master Key (necessary to set up mirroring)
o Master Key of the server
o Master Key backup Password
o Certificate
o Certificate Private Key
o Certificate Private Key backup Password
<SERVER
Certificate <SERVER_NAME>_TDE_Cert_Bkp
NAME>_TDE_Cert
Certificate
- <SERVER_NAME>_TDE_Cert_Priv_Key_Bkp
Private Key
Certificate
Private Key
- <SERVER_NAME>_TDE_Cert_Priv_Key_Bkp_Pwd.txt
backup
Password
Copy the files mentioned above from the database server to your machine and make sure they
follow the naming convention guidelines. To upload the files to EPV follow the steps below:
Etc…
Add the keywords: <server_name> SQL TDE – This will help when searching for this later in EPV.
Select SAVE.
Repeat this process for each file you need to store in EPV.
3.3 Searching for TDE files in EPV
Follow the steps below to search for TDE files in EPV
--Restore the certificate from the primary server on the new server
CREATE CERTIFICATE <certificate name>
FROM FILE = '<certificate backup path>'
WITH PRIVATE KEY
(FILE = '<certificate private key backup path>'
, DECRYPTION BY PASSWORD = '<strong password>');
The “DECRYPTION BY PASSWORD” must match the password that was used to back up the
certificate on the original server. This password should be in EPV along with the certificate in a file called
<server name>_TDE_Cert_Priv_Key_Bkp_Pwd.txt
From this moment on the backup from the original database can be restored normally to the new
server.
5 TDE with Mirror
The steps to set up mirroring for a TDE enabled database are very similar to restoring the TDE
enabled database in a different database.
Use the command below to add encryption by SERVICE MASTER KEY to the master key.
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
go
Restore the certificate from the primary server to the DR server using the command below.
--Restore the certificate from the primary server on the new server
CREATE CERTIFICATE <certificate name>
FROM FILE = '<certificate backup path>'
WITH PRIVATE KEY (FILE = '<certificate private key backup path>'
, DECRYPTION BY PASSWORD = '<strong password>');
Restore the database to the DR server normally. The commands below are examples.
restore database <database name>
from disk = '<backup file>'
with norecovery
5.2
5.3 On the PRIMARY server:
The following steps need to be implemented on the Primary server in order for a mirror to be
implemented.
NOTE: The subscriber databases will not have TDE implemented by default. It is, however, highly
recommended that you implement TDE separately in each subscriber database individually. Follow the
steps on section 2 for each such database.
7 TDE with Linked Servers
THERE ARE NO STEPS NECESSARY TO CREATE LINKED SERVERS TO TDE ENABLED
DATABASES.
8 TDE enabled databases backup/restore with Legato
There are no additional steps to enable TDE encrypted databases for backup by the Legato tool. In
Order to restore a TDE enabled database to a server different from its original one follow the steps on
section 4 of this document (“Restoring a TDE enabled database in a different server”).
9 Backup/Restore after disabling TDE
To allow a TDE encrypted database to be restored to a server that does not have the correct
master key and certificate two steps need to be taken before backing up the database on the original
server.
1. Disable encryption on the database using the command below:
After these two steps have been taken the database can be backed up and restored on a server
that does not have the correct master key and certificate.