Table 5.1 The Hierarchy in TDEStep SQL Server Key Dec SQL Command 1 Service master key SMK Created by SQL Server at the time of setup, the SMK is encrypted using Windows Operating Syst
Trang 1The SQL Server 2008 Enterprise and Developer editions only support TDE
TDE-encrypted databases cannot be attached/used by other editions
Enabling TDE
The steps to enable TDE on a database consist of the following:
1 Creating a service master key at the database instance
2 Creating a database master key and associated certificate in the master database
3 Creating a database encryption key in the user database to be
encrypted
4 Setting the user database to use the encryption
Before describing the mechanics of creating the components of the TDE, let’s review the SQL Server 2008 cryptography scheme
At its core TDE uses the Windows Data Protection application program interface (API) to encrypt and decrypt keys and data In Microsoft Window
2000, the Data Protection API (DPAPI) was introduced to encrypt and decrypt data Since SQL Server 2005, DPAPI is used to generate a key for the database
instance, also known as the service master key (SMK) At the time the database
instance is created, the SMK is generated by using the DPAPI functions and the Windows credentials of the SQL Server service account The SMK is then encrypted using local machine credentials The SMK can only be decrypted by the service account used during the SQL Server setup processing at installation
or by an account that has access to the SQL Server service account’s Windows credentials or belongs to the same security group
The SMK is used to encrypt and decrypt all other keys within the SQL Server instance
Table 5.1 describes the key hierarchy in TDE to enable the encryption of a user database
Trang 2Table 5.1 The Hierarchy in TDE
Step SQL Server Key Dec SQL Command
1 Service master
key (SMK) Created by SQL Server at the time of setup,
the SMK is encrypted using Windows Operating System’s Data Protection API (DPAPI) and the local computer key that
is derived from the Windows credentials
of the SQL Server service account and the computer
BACKUP SERVICE MASTER KEY TO FILE =
'<complete path and filename>' ENCRYPTION
BY PASSWORD = '<password>';
2 Master database’s
database master
key (DMK) and
certificate
The DMK is created and stored in the
master database.
The DMK is a symmetric key used
to protect the private keys of certificates and asymmetric keys that are present in the database.
When it is created, the DMK is encrypted
by using the Triple Data Encryption Standard (DES) algorithm and a user-supplied password.
Please note it is best practice to back
up the DMK in a safe location.
USE master GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘some password’;
CREATE CERTIFICATE
tdeCert WITH
SUBJECT = ‘TDE
Certificate’;
BACKUP CERTIFICATE
tdeCert
TO FILE = ‘path_to_
file’
WITH PRIVATE KEY (FILE = ‘path_to_
private_key_file’, ENCRYPTION BY PASSWORD =
‘ TDE cert p@sswurd’);
Continued
Trang 3Step SQL Server Key Dec SQL Command
3 Database encryption
key (DEK) The DEK is stored in the boot record of
the encrypted database and is created by using the DMK certificate.
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE tdeCert
Table 5.1 Continued.The Hierarchy in TDE
TDE encrypts the data and log files using the database encryption key (DEK) and the specified encryption algorithm defined for the target TDE database The complexity of encryption in TDE arises from the SQL Server encryption hierarchy
to create and use the DEK as well as the specified encryption algorithm
SQL Server supports a number of encryption algorithms including 3 Key Triple DES, AES with 128-bit, 192-bit or 256-bit key The definition or best practices of encryption keys are beyond the scope of this book, but as a general rule strong encryption algorithms require more CPU resources and in generally are slower
Configuring & Implementing…
Backup Service Master Key
Creating a backup of the SMK is the first activity that should be done after an SQL Server installation The SMK backup should be stored in a secure, off-site location It’s important to protect and have a backup of the SMK, as it’s the “Master Key” to encryption for the SQL database.
BACKUP SERVICE MASTER KEY TO FILE = '<pathname>\<filename>'
ENCRYPTION BY 'password'
Continued
Trang 4Note that the password specified in the T-SQL commands are subject
to password complexity checks.
The complexity checks include the following:
Must be eight characters long with a maximum of 128 characters
■
■
Does not contain all or part of the user account name
■
■
Contains characters from three of the following:
■
■
Uppercase Latin letter (A thru Z)
Lower case Latin letters (a thru z)
Numeric digits 0 thru 9
Non-alphanumeric characters: ! (exclamation point), $ (dollar sign),
# number sign, % (percent sign).
How Data Is Encrypted
Using the DEK and encryption algorithm, TDE encrypts the database files at the
database page level Before the data page is written to disk, each page is encrypted
and decrypted when the page is read into memory The page is encrypted and
decrypted using the DEK
When TDE is enabled for a database, the is_crypted column in the sys.databases
view is changed to 1, indicating the database is set for encryption The encryption
scan process then starts and scans all the database files associated to the database and
encrypts the database files using the specified encryption algorithm specified when
creating the DEK The encryption process takes a shared lock on the database and
encrypts each page in the specified database
During this process, detaching the database or file structure changes is denied
Data existing in the log file is not encrypted Entries in the log file are encrypted
entries after the encryption process is complete
Once the database encryption is complete, all database encryption and decryption
is performed in memory Each page is decrypted when the page is read into memory
and each page is encrypted before the data page is written to disk The page is
encrypted and decrypted using the DEK
Encryption Keys
Keys are the basis of cryptography, the science of obfuscating/hiding information There
are two types of keys used in SQL Server for encryption, symmetric and asymmetric
Trang 5Symmetric keys use the same password to encrypt and decrypt data, whereas asymmetric keys use one password (public key) to encrypt the data and another (private key) to decrypt the data While the symmetric key processing is faster than asymmetric keys, the limitation is that using the same password for encryption and decryption is not as secure as asymmetric keys
Certificates and asymmetric keys are both used in asymmetric encryption
A certificate, also known as public key certificate, is a digital object that binds
a digital signature to a person or organization Certificates are generally used to identify a person or organization In other words, a certificate is an electronic form
of an id card Often used as containers for asymmetric keys, certificates have addition attributes such as issuer and expiration information as specified in the Internet Engineering Task Force (IETF) X.509v3 standard
Within SQL Server 2008, certificates provide several purposes Certificates can
be used for the following tasks:
To encrypt connections and data transmitted across a network between
■
■
SQL Server and a client application
To support database mirroring
■
■
To encrypt Service broker conversations
■
■
To sign Integration services packages to sign the source
■
■
Certificates in SQL Server are securable objects, meaning permissions can be granted or denied to them, just as with tables and views
SQL Server can use internally generated certificates or externally
generated ones
Key Management
Key management provides the ability to:
Create new database keys
■
■
Back up and restore server and database keys
■
■
Restore, delete, and change keys
■
■
By default, TDE locally stores all encryption keys with SQL Server, and provides the ability to export keys to files to be archived
As more information is encrypted, the management of these keys becomes challenging External key management (EKM), new in SQL Server 2008, provides organizations with hardware-based security modules (HSM) or external software