Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Server Encryption Ben Miller Blog:

Published byBrianna Sherman Modified over 7 years ago

Similar presentations

Presentation on theme: "SQL Server Encryption Ben Miller Blog:"— Presentation transcript:

1 SQL Server Encryption Ben Miller ben@benmiller.net Twitter: @DBAduck Blog: http://dbaduck.com http://PowerShellDBA.com

2 Introduction  Using SQL Server since version 4.2  SQL Server MCM  SQL Server MVP  Been in IT for over 25 years  Automation and Integration are specialties  MCAD: C# and Web Development  MCSE: Data Platform

3 Agenda  Encryption Hierarchy  Keys  Symmetric Keys  Asymmetric Keys  Database Encryption Key  Certificates  TDE  Encrypted Backup  Cell Encryption

4 Encryption Hierarchy

5

6 Encryption Keys  Symmetric Keys  Do not use RC4 and RC4_128 algorithms  Symmetric keys created with ALGORITHM = TRIPLE_DES_3KEY use TRIPLE DES with a 192-bit key.  Symmetric keys created with ALGORITHM = TRIPLE_DES use TRIPLE DES with a 128-bit key.  Assymmetric Keys  Only Windows logins, SQL Server logins, and application roles can own asymmetric keys. Groups and roles cannot own asymmetric keys  This is a Key Pair and Encrypted by Master Key or Password or EKM Provider  Can be RSA_512, RSA_1024, RSA_2048

7 Encryption Keys (2)  Database Encryption Key  Special Symmetric key used in TDE  Notes:  You should SALT the values on encryption so that comparisons or replacement hacks cannot take place.  For best performance, encrypt data using symmetric keys instead of certificates or asymmetric keys  Database master keys are protected by the Service Master Key  An Extensible Key Management (EKM) module holds symmetric or asymmetric keys outside of SQL Server  The Service Master Key and all Database Master Keys are symmetric keys

8 What is TDE?  Transparent Data Encryption  Encrypted Database “At Rest”  Encryption with AES or 3DES algorithms  AES_128, AES_192, AES_256, TRIPLE_DES_3KEY  Encryption is performed at the Page Level  Data and Log files  When one database is encrypted, tempdb is encrypted by default.  FILESTREAM data is not encrypted when TDE is enabled

9 Requirements for TDE - Review  SQL Server 2008/2012/2014 Enterprise Edition  Master database – Master Key  Master database – Certificate  User database – Database Encryption Key  Stored in the boot record of database for recovery  ALTER DATABASE SET ENCRYPTION ON

10 Benefits of TDE  No schema changes like cell level encryption  Page Level encryption  MSFT estimates degradation at 3-5% instead of 20-28% with cell level encryption **  Secure backups by default  Invisible to the User  “At Rest” Encryption

11 Disadvantages of TDE  Backup Compression no longer effective  Enterprise Edition required  With Cell Level encryption you have finer control over encrypted elements  With one database encrypted, TempDB is encrypted for ALL databases  Even when all DBs are decrypted, Server Restart required to remove encryption from TempDB

12 Backup Encryption  Requirements  Certificate or Asymmetric Key in EKM Provider  New Media Set  Backup Compression still effective

13 Show me the money! Demo

14 System DMVs for Encryption  sys.key_encryptions  sys.symmetric_keys  sys.certificates  sys.dm_database_encryption_keys  sys.asymmetric_keys

15 Things to watch for…  BACKUP database before enabling TDE  You are allowed to drop a certificate in the hierarchy used for TDE **  BACKUP all Certificates and Private Keys  BACKUP all Keys for safe keeping  In Mirroring and Replication, both databases are encrypted  ** Prior to SQL 2008 R2 SP2 you can drop the certificate because there is no dependency held.

16 Ticking Time Bombs  Certificates can be dropped (pre SQL 2008R2 SP2) even if TDE is enabled on a database.  Database will still function when certificate is dropped until restart. Ensure you have a backup.

17 Summary  Only available in Enterprise Edition  TDE is enabled via Keys and Certificates  Data is encrypted “At Rest” not over the wire  Backups of Encrypted database are encrypted  Protect your Encryption assets (Keys, Certificates, etc)

18 Resources  SQL PASS (http://www.sqlpass.org)http://www.sqlpass.org  SQL Saturday in your area (sqlsaturday.com)  SQL Server User Groups in your area  Microsoft SQL Server website  http://www.microsoft.com/sql http://www.microsoft.com/sql  SSWUG.org  http://www.sswug.org http://www.sswug.org

19 Contact Ben Miller Email: ben@sqlsolutionsgroup.com Twitter: @DBAduck Blog: http://dbaduck.com http://PowerShellDBA.com

Download ppt "SQL Server Encryption Ben Miller Blog:"

Similar presentations

SQL Server 2005 RDBMS Technical Overview Matthew Stephen IT Pro Evangelist (SQL Server) Microsoft Ltd.

SQL Server 2005 RDBMS Technical Overview Matthew Stephen IT Pro Evangelist (SQL Server) Microsoft Ltd.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Vinod Kumar M MTC – Technology Specialist Level: 300.

Vinod Kumar M MTC – Technology Specialist Level: 300.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Ho Ting Chung, Zeturl (52246962) 1.  Authentication  Encryption 2.

Ho Ting Chung, Zeturl ( ) 1.  Authentication  Encryption 2.
Gavin Payne Transparent Data Encryption The Hows, Whys and Whens.

Gavin Payne Transparent Data Encryption The Hows, Whys and Whens.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.

File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Overview SQL Server 2008 Overview Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP, MCTS Microsoft Web Development MCP ITIL.

Overview SQL Server 2008 Overview Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP, MCTS Microsoft Web Development MCP ITIL.
Security & Auditing on SQL Server 2008 R2 Antonios Chatzipavlis Software Architect Evangelist, IT Consultant MCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS,

Security & Auditing on SQL Server 2008 R2 Antonios Chatzipavlis Software Architect Evangelist, IT Consultant MCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS,
Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Data Management Conference Data Security for Audit and Compliance Terry Room Architect, Microsoft Ltd London September 29th.

Data Management Conference Data Security for Audit and Compliance Terry Room Architect, Microsoft Ltd London September 29th.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop

Similar presentations

Ads by Google