TDE
only provides I/O level encryption to data file and log file, not on
network level and cause 2-5% performance when perform DB Backup/DML
operations/Indexing rebuild/TempDB operations. And Filesttream data
and buffer pool extension data does not encrypt by TDE, Also
Replication HA does not enable encryption automatically.
Request
1: Encrypt the TDE_Test database on SQL Server A.
Request
2: Take the encrypted database backup file from Server A
and restore on Server B.
Request
1: Encrypt
the database<TDE_test> on SQL Server A.
Solution:
Connect to SQL Server A with SA
account. This is the server where we need to encrypt the
database<TDE_test>
Note:
- Must have to take a Full backup before starting the encryption activity.
- Follow below mentioned restrictions. Refer page no. 4.
Step
1: Execute below query. The below
query to Keep/set database in Single user mode and only for Read only
operation.
Note:
No open transaction on the user database<TDE_Test>.
USE
master
;
GO
ALTER
DATABASE
TDE_test
SET
SINGLE_USER
WITH
ROLLBACK
IMMEDIATE;
GO
ALTER
DATABASE
TDE_test
SET
READ_ONLY;
GO
Step
2: Execute below query. The below query
will create master encryption Key in master Database.
--
Create Master Key with password. Note:
Provide strong password and upload on Keepass
USE
master;
GO
Create
MASTER KEY
ENCRYPTION
BY PASSWORD
=
'2#TDEPassword$11';
go
Step
2: Execute below query. The below script will create certificate in
master database.
--
Create certificate
USE
master;
CREATE
CERTIFICATE
TDETest1Certificate
WITH
SUBJECT =
'TDETest1Certificate';
go
Step
3: Execute below query. The below script to..
--
Create Database Encryption key to Encrypt database using created
certificate.
USE
[TDE_test]
GO
CREATE
DATABASE
ENCRYPTION
KEY
WITH
ALGORITHM =
AES_128
ENCRYPTION
BY SERVER
CERTIFICATE
TDETest1Certificate;
GO
--RESULT
OF ABOVE [TDE_test] DB ENCRYPTION
--
Warning: The certificate used for encrypting the database encryption
key has not been backed up.
--You
should immediately back up the certificate and the private key
associated with the certificate.
--
If the certificate ever becomes unavailable or if you must restore or
attach the database on another server,
--you
must have backups of both the certificate and the private key or you
will not be able to open the database.
Step
4: Execute below query. The below script will generate two backup
files: certificate file and private key file. Also here the password
should be same as master Key Password. Refer Step 1.
--Take
backups of both the certificate and the private key.
use
master
BACKUP
CERTIFICATE
TDETest1Certificate
TO
FILE =
'D:\TDETest1Certificate.cer'
with
private key
(file='D:\DTE_test_Cert_Key.pvk',
encryption
by
password='2#TDEPassword$11');
GO
Step
5: Execute below query. The Below script will on the encryption.
--
On Encryption for DB
ALTER
DATABASE
[TDE_test]
SET
ENCRYPTION
On;
GO
Step
6: Execute below query. The below script will change the database
mode from Single user to multi user mode.
Use
Master
GO
ALTER
DATABASE TDE_test
SET
MULTI_USER;
GO
Step
7: Execute below script. The below script to verify the Encryption.
--The
value 3 represents an encrypted state
on
the database and transaction logs.
USE
TDE_test
;
SELECT
* FROM
sys.dm_database_encryption_keys
WHERE
encryption_state
= 3;
Encryption
Activity is completed from TDE_test database on Server A.
Below
steps to complete 2nd
request.
Request
2: Take the
database encrypted backup file from Server A and restore on Server B.
Solution:
Please follow below steps:
Step
1: Now Connect to Server B with
SA account..
This is destination server where we have to restore the encrypted
database<TDE_test>
- Take a Full backup of database as we have to restore on Server B.
- Also move the backup file and Certificate file and private key file in Server B.
--
Move or copy the database files from the source server to the same
location on the destination server.
--
Move or copy the backup of the server certificate and the private key
file from the source server to the same location on the destination
server.
Step
2:
--
Create a database master key on the destination instance of SQL
Server B.
USE
master;
GO
CREATE
MASTER KEY
ENCRYPTION
BY PASSWORD
=
'2#TDEPassword$11';
GO
Step
3:
--
Recreate the server certificate by using the original server
certificate backup file.
--
The password must be the same as the password that was used when the
backup was created.
CREATE
CERTIFICATE
TDETest1Certificate2
FROM
FILE =
'D:\TDETest1Certificate.cer'
WITH
PRIVATE KEY
(FILE
=
'D:\DTE_test_Cert_Key.pvk',
DECRYPTION
BY PASSWORD
=
'2#TDEPassword$11');
GO
Step
4: Now restore the backup file on
server B. and verify the encryption with below script.
SELECT
* FROM
sys.dm_database_encryption_keys
WHERE
encryption_state
= 3;
Restrictions
when you perform TDE:
The
following operations are not allowed during initial database
encryption, key change, or database decryption:
- Dropping a file from a filegroup in the database
- Dropping the database
- Taking the database offline
- Detaching a database
- Transitioning a database or filegroup into a READ ONLY stateThe following operations are not allowed during the CREATE DATABASE ENCRYPTION KEY, ALTER DATABASE ENCRYPTION KEY, DROP DATABASE ENCRYPTION KEY, or ALTER DATABASE...SET ENCRYPTION statements.
- Dropping a file from a filegroup in the database.
- Dropping the database.
- Taking the database offline.
- Detaching a database.
- Transitioning a database or filegroup into a READ ONLY state.
- Using an ALTER DATABASE command.
- Starting a database or database file backup.
- Starting a database or database file restore.
- Creating a snapshot.The following operations or conditions will prevent the CREATE DATABASE ENCRYPTION KEY, ALTER DATABASE ENCRYPTION KEY, DROP DATABASE ENCRYPTION KEY, or ALTER DATABASE...SET ENCRYPTION statements.
- The database is read-only or has any read-only file groups.
- An ALTER DATABASE command is executing.
- Any data backup is running.
- The database is in an offline or restore condition.
- A snapshot is in progress.
- Database maintenance tasks.When creating database files, instant file initialization is not available when TDE is enabled.In order to encrypt the database encryption key with an asymmetric key, the asymmetric key must reside on an extensible key management provider.
Question:
How to drop Encryption from database.
Answer:
Step
1: Turn
off
encryption
on your
user
database
ALTER
DATABASE
your_user_database
SET
ENCRYPTION
OFF
Step
2: Drop
the
Database
Encryption
Key of
your user
database
USE
your_user_database
GO
DROP
DATABASE
ENCRYPTION
KEY
Step
3: Drop
the
certificate
and master
key on
master
database
USE
master
GO
DROP
CERTIFICATE
[TDETest1Certificate]
DROP
MASTER KEY
Question:
How to Alter Encryption
Answer:
No comments:
Post a Comment