7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 1/11

Securing Database Contents with

Transparent Data Encryption (TDE)

Introduction

Microsoft SQL Server has many security features available within the database, but

until release of SQL Server 2008 there has been no “out-of-the-box” method for 

 protecting the data at the operating system level. The Transparent Data Encryption

(TDE) feature introduced in SQL Server 2008 allows sensitive data to be encrypted

within the data files to prevent access to it from the operating system. It solves the

 problems of security of data means encrypting databases on hard disk and on any

 backup media and is the best possible choice for bulk encryption to meet the regulatory

compliance or corporate data security standards. This feature encrypts both data and

logs as the records are written to SQL database files (*.mdf) in real-time, including

 backups, snapshots and transaction logs. TDE encrypts data before it’s written to disk and decrypts data before it is returned to the application. The encryption and decryption

 process is performed at the SQL layer, completely transparent to applications and users.

TDE encryption uses a Database Encryption Key (DEK) (that is an asymmetric key

secured by using a certificate stored in the master database), which is stored in the

database boot record for availability during recovery.

In this post, I’ll show you how to encrypt database using Transparent Data Encryption

(TDE) and then I will discuss the limitations of TDE.

Architecture of Transparent Data Encryption

The following illustration shows the architecture of TDE encryption:

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 2/11

Service Master Key is created at a time of SQL Server setup; DPAPI encrypts the

Service Master Key. Service Master Key encrypts Database Master Key for the Master 

Database. The Database Master Key of the master Database Creates the Certificate then

the certificate encrypts the database encryption key in the user database. The entire

database is secured by the Database Master Key of the user Database by using TDE.

TDE performs the encryption at the page level. The pages in an encrypted database are

encrypted before they are written to disk and decrypted when read into memory.

 Microsoft Reference: Transparent Data Encryption ( http://msdn.microsoft.com/en-

us/library/bb934049.aspx )

Demo

 Note: For the purposes of this post, I’ll be encrypting SQL Server 2012 sample

database AdventureWorks2012 database using TDE. It is advisable to backup the

database prior to implementing TDE.

Our first step to setup TDE is to create a database master key for our master database.

To do that, open the New Query window and execute the following script:

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 3/11

USE [master]GO

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1'GO

 

Information about the database master key is visible in the sys.symmetric_keys catalog

view. Execute the following query to verify that database master key is encrypted by the

service master key:

USE [master]GO

SELECT b.[name], a.[crypt_type_desc]FROM [sys].[key_encryptions] a

INNER JOIN [sys].[symmetric_keys] b  ON a.[key_id] = b.[symmetric_key_id]WHERE b.[name] = '##MS_DatabaseMasterKey##';GO

 

Example:

 Now the next step is to create a self-signed certificate that is protected by the database

master key of our master database. This certificate encrypts the Database Encryption

Key in the AdventureWorks2012 database.

Execute the following script to create the self-signed certificate:

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 4/11

USE [master]GO

CREATE CERTIFICATE CertificateforTDEWITH SUBJECT = 'Certificate for TDE'

,EXPIRY_DATE = '20220101'GO

 

 Navigate as follow, to view this certificate in SQL Server Management Studio:

 Note: Certificate expiration is not enforced when the certificate is used for encryption.

 Now backup your certificate and database master key immediately as you need them in

a recovery situation. To do that, execute the following script to backup certificate:

USE [master]

GO

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 5/11

BACKUP CERTIFICATE CertificateforTDETO FILE = 'D:\TDE_Demo\CertificateforTDE.cer'WITH PRIVATE KEY (FILE = 'D:\TDE_Demo\CertificateforTDE.key'

,ENCRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1')GO

 

Execute the following script to backup the database master key of master database:

USE [master]GO

-- Master key password must be specified when it is opened.OPEN MASTER KEY DECRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1'BACKUP MASTER KEY TO FILE = 'D:\TDE_Demo\ExportedMasterKey.key'ENCRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1'GO

 

Once successfully executed, verify that the master key and security certificate backup

files are created in the location specified in script for example for in this demo its

D:\TDE_Demo\ (see below):

 Note: Save your master key and security certificate backup files in a secure location as

 you’ll need them when restoring the database on a different SQL Server otherwise the

restore process will fail.

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 6/11

 Now that we have created the database master key and the certificate in the master 

database, we are now ready to create the database encryption key for our database.

Execute the following script to create the database encryption key in

AdventureWorks2012 database:

USE [AdventureWorks2012]GO

CREATE DATABASE ENCRYPTION KEYWITH ALGORITHM = AES_256ENCRYPTION BY SERVER CERTIFICATE CertificateforTDEGO

 

The AES_128 option specifies Advanced Encryption Standard (AES) with a 256 bit key

length, and we protect the database encryption key with the AWTDECertificatecertificate that was created in the Master database.

 Note: SQL Server allow you to encrypt data with several encryption algorithms such as

 DES, Triple DES, TRIPLE_DES_3KEY, RC2, RC4, 128-bit RC4, DESX, 128-bit AES,

192-bit AES, and 256-bit AES.

The final step in the setup process of TDE is to enable it. This is accomplished by

executing the ALTER DATABASE command with the SET ENCRYPTION ON

argument.

Execute the following script to enable TDE on AdventureWorks2012 database:

USE [master]GO

ALTER DATABASE [AdventureWorks2012]SET ENCRYPTION ONGO

 

To verify that database is encrypted using TDE, right-click the database and chooseoption and you will see encryption option is now ON as shown in figure below:

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 7/11

Execute the following query, to find out what databases are encrypted using TDE:

USE [master]GO

SELECT db.[name],db.[is_encrypted],dm.[encryption_state],dm.[percent_complete],dm.[key_algorithm],dm.[key_length]

FROM [sys].[databases] dbLEFT OUTER JOIN [sys].[dm_database_encryption_keys] dmON db.[database_id] = dm.[database_id];GO

 

Recovery

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 8/11

 Now perform the full backup of AdventureWorks2012 database using script below:

USE [master]GO

BACKUP DATABASE [AdventureWorks2012]TO DISK = N'D:\Backups\AdventureWorks2012.bak' WITH NOFORMAT, NOINIT

,NAME = N'AdventureWorks2012-Full Database Backup',SKIP, NOREWIND, NOUNLOAD, STATS = 10

GO

 

 Now test the restore the database of AdventureWorks2012 database as follow:

As you can see from above that database restore is successful on same instance.

 Now try restoring this database on different SQL Server using script below:

USE [master]GO

RESTORE DATABASE [AdventureWorks2012]FROM  DISK = N'D:\Backups\AdventureWorks2012.bak' WITH  FILE =1,MOVE N'MyFileStream' TO N'D:\Databases\MyFileStream',MOVE N'AdventureWorks2012_Data' TO

N'D:\Databases\AdventureWorks2012_Data.mdf',

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 9/11

MOVE N'AdventureWorks2012_Log' TON'D:\Databases\AdventureWorks2012_log.ldf',NOUNLOAD, STATS = 5GO

 As you can see, the restore process will fail with the error below:

This is because the database is encrypted with TDE.

To restore the TDE encrypted database on different SQL Server instance, you first needto restore the database master key and then the self-signed certificate that is used to

encrypt the database encryption key.

Execute the following script to restore the database master key from master key backup:

USE [master]GO

RESTORE MASTER KEYFROM FILE = 'D:\TDE_Demo_Backup\ExportedMasterKey.key'

DECRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1'ENCRYPTION BY PASSWORD = '$tr0ngPa$$w0rd2';GO

 

 Next step is to create the SQL Server certificate on the second SQL Server using the

Private Key backup of Principle SQL Server. To do that execute the following script:

USE [master]GO

OPEN MASTER KEY DECRYPTION BY PASSWORD = '$tr0ngPa$$w0rd2'

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 10/11

CREATE CERTIFICATE CertificateforTDEFROM FILE = 'D:\TDE_Demo_Backup\CertificateforTDE.cer' WITH PRIVATE KEY (FILE ='D:\TDE_Demo_Backup\CertificateforTDE.key',DECRYPTION BY PASSWORD = '$tr0ngPa$$w0rd1');

GO

 

We are now ready to restore the database on second SQL Server.

 Note: You must OPEN MASTER KEY first and then perform restore otherwise restore

will fail.

Execute the script below which we executed earlier to restore the AdventureWorks2012

database:

USE [master]GO

OPEN MASTER KEY DECRYPTION BY PASSWORD = '$tr0ngPa$$w0rd2'

RESTORE DATABASE [AdventureWorks2012]FROM  DISK = N'D:\Backups\AdventureWorks2012.bak' WITH  FILE =1,MOVE N'MyFileStream' TO N'D:\Databases\MyFileStream',MOVE N'AdventureWorks2012_Data' TO

N'D:\Databases\AdventureWorks2012_Data.mdf',MOVE N'AdventureWorks2012_Log' TON'D:\Databases\AdventureWorks2012_log.ldf',NOUNLOAD, STATS = 10GO

 

This time restore script executed successfully and AdventureWorks2012 database has

now been restored on second SQL Server (see below):

7/27/2019 Securing Database Contents With Transparent Data Encryption

http://slidepdf.com/reader/full/securing-database-contents-with-transparent-data-encryption 11/11

Limitation of Transparent data encryption

• TDE does not provide encryption across communication channels.

• When enabling TDE, you should immediately back up the certificate and the

 private key associated with the certificate. If the certificate ever becomesunavailable or if you must restore or attach the database on another server, you

must have backups of both the certificate and the private key or you will not be

able to open the database.

• The encrypting certificate or Asymmetric should be retained even if TDE is no

longer enabled on the database. Even though the database is not encrypted, the

database encryption key may be retained in the database and may need to be

accessed for some operations.

• Altering the certificates to be password-protected after they are used by TDE

will cause the database to become inaccessible after a restart.