Upload
sqlservercoil
View
2.854
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
06:34:00 PM
Adi Cohn - SRL Group
Encryption with SQL Encryption with SQL
Server 2008Server 2008
Agenda
Types of encryptions and there uses
Price of encryption
Basic terms
Key management types
Encryption and permissions
Restoring database to a different server
Working with TDE
Types of encryption
SQL Server 2008 supports 2 completely different types of encryptions:
Cell level encryption – Encrypts part of the data DB level encryption – Encrypts the whole DB
Cell level Encryption
The encryption is “statement based”. The insert/update statements are responsible to encrypt the data and select statement has to decrypt the data.
Any application that works with the database has to be designed to work with the encryption and decryption mechanism
The developers and the DBA have many options to choose from and lots of control over the encryption mechanism
Database level encryption
The whole database is encrypted. The encryption and decryption is transparent to
the applications. Used to protect from file theft (data or backup),
log shipping or mirroring DBA and developers don’t have many
configuration options and control on the encryption process.
“Price” of encryption
Encryption and decryption adds more CPU usage
Encrypted data takes much more disk space then the original data
SQL Server can not use index seek on encrypted data.
6
Basic terms
Encryption – Conversion of clear data into scrambled data that has to be modified in order to make scenes. The encrypted data also referred as chipertext.
Decryption – Transforming of the encrypted data into its original state. Decrypted data also referred as cleartext.
Basic terms
Key – The mechanism that is used in order encrypt and decrypt the data.
Symmetric key – The same key is used for encrypting and decrypting the data (also known as shared key).
Asymmetric key – Different keys are used to encrypt or decrypt the data (Also known as private and public keys).
Symmetric mechanism works faster then asymmetric mechanism, but is considered a weaker mechanism then asymmetric mechanism.
Basic terms
Certificate – An electronic document that contains asymmetric keys with identifying information about its owner and the CA that issued the certificate
Key management
SQL Server uses 3 types of key management: External key management – SQL Server 2008
introduced the ability to use an external application to manage the keys.
Encrypt by password – The user supplies a password for key generating, and the keys are managed independently
SQL internal hierarchical mechanism – There are few layers of key management that are structured as hierarchy. Each key is depended on a key in a layer above
Encryption hierarchy
4 Ways to encrypt and decrypt the data
SQL Server suports 4 mechanisim to encrypt data:
Encryption by PassPhrase Encryption by symmetric key Encryption by asymmetric key Encryption by certificates
Demo1 encrypting and decrypting columns
Security Considerations
In reality unlike in the demo, there are security considerations. Users need to get permissions to use the keys.
Unfortunately there isn’t a direct way to grant permission only to encrypt and\or decrypt the data
In order to limit the usage of the keys we’ll need to implement our own code.
Demo 2 – Implementing security
Moving an encrypted DB (column level)
Sometimes there is a need to move the database to a new server
Keys that were encrypted by password can be used immediately
Before using keys that are managed by SQL Server, we need to modify the database master key
16
Demo 3 – Moving the database to adifferent instance
17
Transparent database encryption
TDE can be done only on SQL Server 2008 Enterprise edition
Before configuring TDE we have to create asymmetric keys or certificate Create a database encryption key
It is important to backup the all the certificates and keys that were used to configure the TDE
After we created the database encryption key we need to run alter database statement
While the database is being encrypted, users can still work with it
We can monitor encryption’s progress with sys.dm_database_encryption_keys
Demo 4 – Using TDE