Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption
Contents What is Transparent Data Encryption (TDE) How it works How to implement TDE Things to keep in mind After Effects of enabling TDE July 22 nd, 20102Curaçao SQL Server User Group
What is TDE Encryption that protect the physical files performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module. July 22 nd Curaçao SQL Server User Group
July 22 nd, 2010Curaçao SQL Server User Group4 How it Works Server starts a background thread that scans all the database files and encrypts them The supported encryption algorithms are AES with 128, 196 and 256 bit keys or 3 key triple DES. The only operations that are not allowed while the encryption thread runs are modifying the file structure and taking the database offline by detaching it. The scan also rolls over the virtual log file so that the future writes to the log are encrypted.
Implementation of TDE Create a master key Create or obtain a certificate protected by master key. Create a database key and protect it by the certificate. Set the database you want to protect to use the encryption. July 22 nd, 20105Curaçao SQL Server User Group
Things that need to be noted. Read Only Filegroups and FileStream Data type Maintenance/Recovery/Warm Standby TempDB Compressed Backups Known Issue with TDE July 22 nd, 20106Curaçao SQL Server User Group
November 26, 20097Curaçao SQL Server User Group
Additional Resources Books Online topics TDE July 22 nd, 2010Curaçao SQL Server User Group8
November 26, 20099Curaçao SQL Server User Group