DPAPI is the top level of the TDE encryption hierarchy and is used by SQL Server to protect the service master key SMK for the database instance.. In TDE, the SMK is used to protect the
Trang 1Managing Data Encryption • Chapter 5 187 Exam Objectives
Frequently Asked Questions
Q: What is DPAPI and how is it used in TDE architecture?
A: DPAPI (Data Protection Application Programming Interface) is a set of
cryptographic program interface introduced with Microsoft Windows 2000
and later Microsoft Windows operating systems The API consists of two
functions: CryptProtectData (used to encrypt data) and CryptUnprotectData
(to decrypt data) DPAPI is the top level of the TDE encryption hierarchy
and is used by SQL Server to protect the service master key (SMK) for the
database instance In TDE, the SMK is used to protect the next level of the
SQL Server encryption hierarchy, specifically the database master key (DMK),
and is stored in the master database The last encryption level for TDE is the
database encryption key (DEK) Using a certificate created for the DMK, the
DEK is encrypted using the DMK certificate from the master database and
then stored in the specified user database
Q: What is Transparent Data Encryption?
A: Transparent Data Encryption (TDE) provides the ability to encrypt entire
databases, data, and log files without the requirement of application changes
and with minimal performance impact
Q: What edition of SQL Server is required to use TDE?
A: TDE is only available on SQL Server 2008 Enterprise and Developer editions
Q: When is the Service Master Key created?
A: The SMK is created during SQL Server setup of the instance It uses the
DPAPI and the SQL Server service credential to generate the SMK
Q: What is the Service Master Key used for?
A: The SMK is at the core of SQL Server encryption An SMK is generated on
a SQL Server instance when an instance is first started The SMK is used to
encrypt various components on the database instance including linked server
passwords, database master keys, and credentials The SMK is encrypted by using
the local computer By default, the SMK is created by the Windows service
account using the Windows data protection API and the local server key
Trang 2Q: Where are the certificates stored?
A: By default all keys and certificates are stored in the SQL Server With EKM and HSM vendors, keys can be stored outside of SQL Server
Q: What is the difference between cell- and column-level encryption?
A: Cell- and column-level encryption require that the column to be encrypted in
the table schema be stored as a varbinary object The main difference between
cell- and column-level encryption is that the expense of column-level encryption
is magnified by the number of rows in the table
Trang 3Managing Data Encryption • Chapter 5 189
Self Test
1 What level of protection does transparent data encryption (TDE) provide?
A Cell-level
B File-level
C Database-level
D Drive-level
2 Which of the following best describes transparent data encryption (TDE)?
A Data in specific columns is encrypted
B Encrypts everything, such as indexes, stored procedures, functions, keys, etc,
without sacrificing security or leaking information on the disk
C Once data types have been changed to varbinary, everything will be
encrypted
D Once database schemas have been changed to accommodate data encryption, everything will be encrypted
3 Which edition of SQL Server 2008 offers transparent data encryption (TDE)?
A SQL Server 2008 Express
B SQL Server 2008 Standard
C SQL Server 2998 Web
D SQL Server 2008 Enterprise
4 Which SQL Server permissions are required to enable transparent data
encryption (TDE)?
A Permissions associated with creating the user database
B Permissions associated with making server-level changes
C Permissions associated with creating a database master key and certificate
in the master database and control permissions on the user database
D Permissions associated with the operating system administrator’s account
5 The first step to enabling TDE on a database is to create a database master key
(DMK) Which of the following is the correct syntax for creating a DMK?
A CREATE MASTER KEY ENCRYPTION BY PASSWORD =
‘somepassword’;
Trang 4B ALTER DATABASE tdedatabase SET ENCRYPTION ON;
C CREATE CERTIFICATE tdeCert WITH SUBJECT = ‘tdeCertificate’;
D CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE tdeCert;
6 It is very important to back up the Certificate with the private key once it has been created and to copy it to a secure location other than on the server that
it was created on Which of the following is the correct syntax to back up a Certificate?
A CREATE CERTIFICATE tdeCert WITH SUBJECT = ‘tdeCertificate’;
B BACKUP CERTIFICATE tdeCert TO FILE = ‘path_to_file’ WITH PRIVATE KEY (FILE = ‘path_to_private_key_file’, ENCRYPTION BY PASSWORD = ‘cert password’);
C CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE tdeCert;
D ALTER DATABASE tdedatabase SET ENCRYPTION ON;
7 Which sys catalog view is used to monitor the progress of an encryption scan?
A Sys.configurations
B Sys.certificates
C Sys.key_encryptions
D Sys.dm_database_encryption_keys
8 When transparent data encryption (TDE) is enabled, which of the following system catalog views will the database show as encrypted?
A Sys.databases
B Sys.all_objects
C Sys.all_columns
D Sys.configurations
9 When transparent data encryption (TDE) is enabled, database backups are encrypted If you cannot locate the associated Certificate and private key files, what happens to the data if you need to restore the encrypted database?
A Everything will be readable since the Certificate and private key can be recreated
Trang 5Managing Data Encryption • Chapter 5 191
B The data will not be readable since the Certificate and private key files
are lost
C Only encrypted columns will not be readable
D Everything will be readable once the database encryption has been turned
off in the master database
10 In which edition of SQL Server 2008 is cell-level encryption available?
A Only in the Enterprise edition
B Only in the Web edition
C Only in the Workgroup edition
D All SQL Server 2008 editions
11 When using cell-level encryption which data type is required in order to
encrypt the data?
A VARCHAR
B No special data type is necessary
C BINARY
D VARBINARY
12 What is the query performance impact when using cell-level encryption?
A There is a positive query performance impact since there are only specific
columns that are encrypted
B There is a negative query performance impact since data types have to be
converted from varbinary to the correct data type and primary keys and
indexes are not used, resulting in full table scans
C There is a negative query performance impact unless TDE has been
enabled
D There is a positive query performance impact as long as TDE has been
enabled
13 Cell-level encryption is best used in which of the following?
A Performance sensitive situations
B All situations
C Limited access control through the use of passwords situations
D Situations when a password is not needed to access the encrypted data