透明加密tde
簡介與概述 (Introduction and Overview)
Transparent Data Encryption (TDE) was introduced in SQL Server 2008. Its main purpose was to protect data by encrypting the physical files, both the data (mdf) and log (ldf) files (as opposed to the actual data stored within the database). Transparent Data Encryption Encrypts SQL Server, Azure SQL Databases, and Azure SQL Data Warehouse data files.
SQL Server 2008中引入了透明數據加密(TDE)。其主要目的是通過對物理文件(數據(mdf)和日志(ldf)文件)(而不是存儲在數據庫中的實際數據)進行加密來保護數據。 。 透明數據加密對SQL Server,Azure SQL數據庫和Azure SQL數據倉庫數據文件進行加密。
This technology was designed to have the entire encryption process be completely transparent to the applications accessing the database. It does this by using either Advanced Encryption Standard (AES), or Triple DES, encrypting the file pages and then decrypted as the information goes into memory. This inhibits limitations from querying the data in an encrypted database. This is essentially real time I/O encryption and decryption and does not increase the size of said database.
該技術旨在使整個加密過程對訪問數據庫的應用程序完全透明。 它通過使用高級加密標准(AES)或Triple DES來實現此目的,先加密文件頁面,然后在信息進入內存時解密。 這抑制了查詢加密數據庫中數據的限制。 這本質上是實時的I / O加密和解密,不會增加所述數據庫的大小。
Also note, that as a result of Transparent Data Encryption, database backups will also be encrypted. In the event that a backup of the database gets lost or stolen, the culprit will not be able to restore the database without the appropriate certificate, keys and passwords.
還要注意,由於透明數據加密,數據庫備份也將被加密。 如果數據庫的備份丟失或被盜,罪魁禍首將無法在沒有適當的證書,密鑰和密碼的情況下還原數據庫。
Also, the TempDB database will be automatically encrypted. Since the tempdb is used by all user databases (processing/storing temporary objects). You shouldn’t notice much of a difference in how Transparent Data Encryption operates, but this is good to know and often overlooked. What good is an encrypted database if the data placed in TempDB isn’t encrypted?
另外,TempDB數據庫將被自動加密。 由於tempdb被所有用戶數據庫使用(處理/存儲臨時對象)。 在透明數據加密的操作方式上,您應該不會注意到太多差異,但這是一個很好的認識,並且經常被忽略。 如果放置在TempDB中的數據未加密,那么加密的數據庫有什么用?
However, this does not encrypt the data “across the wire” so to speak. If there is a requirement to encrypt data across the network an SSL connection must be implemented on the clients. (For more information regarding this please see this link)
但是,可以這么說,這不會“在線”加密數據。 如果需要通過網絡加密數據,則必須在客戶端上實現SSL連接。 (有關此的更多信息,請參見此鏈接 )
If you’re a DBA there is a very strong chance that you are in charge of securing some very sensitive information.
如果您是DBA,則很有可能負責保護某些非常敏感的信息。
符合透明數據加密要求SQL Server版本 (Transparent Data Encryption Eligible SQL Server Editions)
First we must determine the correct version of SQL Server that allows Transparent Data Encryption. I like to call it an expensive feature as it requires Enterprise Editions. It also works with Developer Edition, but of course, this is just for testing and development purposes. When implementing this in a production environment you must have the correct version of SQL Server. I’ve listed the eligible editions below.
首先,我們必須確定允許透明數據加密SQL Server的正確版本。 我喜歡稱它為昂貴的功能,因為它需要企業版。 它也可以與Developer Edition一起使用,但是當然,這只是出於測試和開發目的。 在生產環境中實施此操作時,必須具有正確版本SQL Server。 我在下面列出了符合條件的版本。
- SQL 2016 Evaluation, Developer, Enterprise
SQL 2016評估,開發人員,企業 - SQL 2014 Evaluation, Developer, Enterprise
SQL 2014評估,開發人員,企業 - SQL Server 2012 Evaluation, Developer, Enterprise
SQL Server 2012評估,開發人員,企業 - SQL Server 2008 R2 Datacenter, Evaluation, Developer, Enterprise, Datacenter
SQL Server 2008 R2數據中心,評估,開發人員,企業,數據中心 - SQL Server 2008 Evaluation, Developer, Enterprise
SQL Server 2008評估,開發人員,企業
透明數據加密層次結構 (Transparent Data Encryption Hierarchy )
Now let’s have a quick overview of the Transparent Data Encryption architecture and hierarchy. First we have the Windows Operating System Level Data Protection API, which decrypts the Service Master Key found in the SQL Server instance level. The Server Master Key is created at the time of the initial SQL Server instance setup. From there we go the database level. The Service Master Key encrypts the database Master Key for the master database. The database master key creates a certificate in the master database. Keep in mind that you must create a backup of this certificate. Not only for environmental refreshes but disaster recovery purposes. Once Transparent Data Encryption is enabled on the database you won’t be able to restore or move it another server unless this same certificate has been installed. Keep good (and secure records) of the certificate and password.
現在,讓我們快速了解一下透明數據加密體系結構和層次結構。 首先,我們擁有Windows操作系統級別的數據保護API,該API解密在SQL Server實例級別中找到的服務主密鑰。 服務器主密鑰是在初始SQL Server實例設置時創建的。 從那里我們進入數據庫級別。 服務主密鑰為master數據庫加密數據庫主密鑰。 數據庫主密鑰在主數據庫中創建一個證書。 請記住,您必須創建此證書的備份。 不僅用於環境刷新,還用於災難恢復。 一旦在數據庫上啟用了透明數據加密,您將無法將其還原或移動到另一台服務器,除非已安裝了相同的證書。 妥善保存(和安全記錄)證書和密碼。
The certificate is then used to enable encryption at the database level, thus creating the database encryption key.
然后,該證書用於在數據庫級別啟用加密,從而創建數據庫加密密鑰。
To help visualize this process, please refer to the following diagram:
為了幫助可視化此過程,請參考下圖:
實作 (Implementation)
As always I like to do my work in SQL Server Management Studio. So please open up SSMS and log into the server that you will be using.
和往常一樣,我喜歡在SQL Server Management Studio中完成工作。 因此,請打開SSMS並登錄到將要使用的服務器。
創建主密鑰 (Create Master Key )
We must first create the master key. It must be created in the master database, so as a precautionary measure I like to begin this statement with the USE MASTER command.
我們必須首先創建主密鑰。 它必須在master數據庫中創建,因此,為了預防起見,我希望使用USE MASTER命令開始此語句。
-
-
USE Master;
-
GO
-
CREATE MASTER KEY ENCRYPTION
-
BY PASSWORD='InsertStrongPasswordHere';
-
GO
-
創建受主密鑰保護的證書 (Create Certificate protected by master key )
Once the master key is created along with the strong password (that you should remember or save in a secure location), we will go ahead and create the actual certificate.
一旦創建了主密鑰和強密碼(您應該記住或保存在安全的位置),我們將繼續創建實際的證書。
-
-
CREATE CERTIFICATE TDE_Cert
-
WITH
-
SUBJECT= 'Database_Encryption';
-
GO
-
The certificate’s name is “TDE_Cert” and I gave it a generic subject. Some Database Administrators like to put the name of the actual database that they are going to encrypt in there. It is totally up to you.
證書的名稱是“ TDE_Cert”,我給它一個通用主題。 一些數據庫管理員喜歡在其中放置要加密的實際數據庫的名稱。 這完全取決於您。
創建數據庫加密密鑰 (Create Database Encryption Key )
Now, we must utilize our USE command to switch to the database that we wish to encrypt. Then we create a connection or association between the certificate that we just created and the actual database. Then we indicate the type of encryption algorithm we are going to use. In this case it will be AES_256 encryption.
現在,我們必須使用USE命令來切換到我們希望加密的數據庫。 然后,我們在剛創建的證書和實際數據庫之間創建連接或關聯。 然后,我們指出將要使用的加密算法的類型。 在這種情況下,它將是AES_256加密。
-
-
USE <DB>
-
GO
-
CREATE DATABASE ENCRYPTION KEY
-
WITH ALGORITHM = AES_256
-
ENCRYPTION BY SERVER CERTIFICATE TDE_Cert;
-
GO
-
啟用加密 (Enable Encryption )
Finally, we can enable encryption on our database by using the ALTER DATABASE command.
最后,我們可以使用ALTER DATABASE命令對數據庫啟用加密。
-
-
ALTER DATABASE <DB>
-
SET ENCRYPTION ON;
-
GO
-
Once the encryption is turned on, depending on the size of the database, it may take some time to complete. You can monitor the status by querying the sys.dm_database_encryption_keys DMV.
啟用加密后,取決於數據庫的大小,可能需要一些時間才能完成。 您可以通過查詢sys.dm_database_encryption_keys DMV來監視狀態。
備份證書 (Backup Certificate)
It’s important to backup the certificate you created and store it in a secure location. If the server ever goes down and you need to restore it elsewhere, you will have to import the certificate to the server. In certain environments, the DR servers are already stood up and on warm/hot standby, so it’s a good idea to just preemptively import the saved certificate to these servers.
備份創建的證書並將其存儲在安全位置非常重要。 如果服務器出現故障,需要將其還原到其他位置,則必須將證書導入服務器。 在某些環境中,DR服務器已經站立並且處於熱/熱備用狀態,因此,最好先搶先將保存的證書導入這些服務器。
-
-
BACKUP CERTIFICATE TDE_Cert
-
TO FILE = 'C:\temp\TDE_Cert'
-
WITH PRIVATE KEY (file='C:\temp\TDE_CertKey.pvk',
-
ENCRYPTION BY PASSWORD='InsertStrongPasswordHere')
-
Remember to store the certificate in a safe and available locations (not a temporary one like this example).
請記住將證書存儲在安全且可用的位置(而不是像此示例那樣的臨時位置)。
恢復證書 (Restoring a Certificate)
In order to restore the certificate, you will once again have to create a service master key on the secondary server.
為了還原證書,您將不得不再次在輔助服務器上創建服務主密鑰。
-
-
USE Master;
-
GO
-
CREATE MASTER KEY ENCRYPTION
-
BY PASSWORD='InsertStrongPasswordHere';
-
GO
-
Once that is done, you must remember where you backed up the certificate and the encryption/decryption password.
完成此操作后,您必須記住備份證書和加密/解密密碼的位置。
-
-
USE MASTER
-
GO
-
CREATE CERTIFICATE TDECert
-
FROM FILE = 'C:\Temp\TDE_Cert'
-
WITH PRIVATE KEY (FILE = 'C:\TDECert_Key.pvk',
-
DECRYPTION BY PASSWORD = 'InsertStrongPasswordHere' );
-
Be mindful of the paths used in this example. You must specify the path that you have stored the certificate and private key. Also keep good and secure records of the encryption passwords.
請注意本示例中使用的路徑。 您必須指定存儲證書和私鑰的路徑。 還應保留加密密碼的良好且安全的記錄。
Once the certificate is restored to the secondary server you may restore a copy of the encrypted database.
將證書還原到輔助服務器后,您可以還原加密數據庫的副本。
Some things to note before applying TDE. There are some drawbacks. Remember that Transparent Data Encryption encrypts the underlying database files including the backups. You can’t just take the files and dump them onto another SQL Server without the appropriate encryption keys and certificates. It does NOT allow for granular user level encryption. If that is the type of encryption you are looking for, you should investigate column level encryption.
應用TDE之前需要注意的一些事情。 有一些缺點。 請記住,透明數據加密會加密基礎數據庫文件,包括備份。 如果沒有適當的加密密鑰和證書,您不能只將文件轉儲到另一個SQL Server中。 它不允許細粒度的用戶級別加密。 如果這是您要尋找的加密類型,則應調查列級加密。
翻譯自: https://www.sqlshack.com/how-to-configure-transparent-data-encryption-tde-in-sql-server/