sql server encryption - adi cohn

06:34:00 PM

Adi Cohn - SRL Group

Encryption with SQL Encryption with SQL

Server 2008Server 2008

Agenda

Types of encryptions and there uses

Price of encryption

Basic terms

Key management types

Encryption and permissions

Restoring database to a different server

Working with TDE

Types of encryption

SQL Server 2008 supports 2 completely different types of encryptions:

Cell level encryption – Encrypts part of the data DB level encryption – Encrypts the whole DB

Cell level Encryption

The encryption is “statement based”. The insert/update statements are responsible to encrypt the data and select statement has to decrypt the data.

Any application that works with the database has to be designed to work with the encryption and decryption mechanism

The developers and the DBA have many options to choose from and lots of control over the encryption mechanism

Database level encryption

The whole database is encrypted. The encryption and decryption is transparent to

the applications. Used to protect from file theft (data or backup),

log shipping or mirroring DBA and developers don’t have many

configuration options and control on the encryption process.

“Price” of encryption

Encryption and decryption adds more CPU usage

Encrypted data takes much more disk space then the original data

SQL Server can not use index seek on encrypted data.

6

Basic terms

Encryption – Conversion of clear data into scrambled data that has to be modified in order to make scenes. The encrypted data also referred as chipertext.

Decryption – Transforming of the encrypted data into its original state. Decrypted data also referred as cleartext.

Basic terms

Key – The mechanism that is used in order encrypt and decrypt the data.

Symmetric key – The same key is used for encrypting and decrypting the data (also known as shared key).

Asymmetric key – Different keys are used to encrypt or decrypt the data (Also known as private and public keys).

Symmetric mechanism works faster then asymmetric mechanism, but is considered a weaker mechanism then asymmetric mechanism.

Basic terms

Certificate – An electronic document that contains asymmetric keys with identifying information about its owner and the CA that issued the certificate

Key management

SQL Server uses 3 types of key management: External key management – SQL Server 2008

introduced the ability to use an external application to manage the keys.

Encrypt by password – The user supplies a password for key generating, and the keys are managed independently

SQL internal hierarchical mechanism – There are few layers of key management that are structured as hierarchy. Each key is depended on a key in a layer above

Encryption hierarchy

4 Ways to encrypt and decrypt the data

SQL Server suports 4 mechanisim to encrypt data:

Encryption by PassPhrase Encryption by symmetric key Encryption by asymmetric key Encryption by certificates

Demo1 encrypting and decrypting columns

Security Considerations

In reality unlike in the demo, there are security considerations. Users need to get permissions to use the keys.

Unfortunately there isn’t a direct way to grant permission only to encrypt and\or decrypt the data

In order to limit the usage of the keys we’ll need to implement our own code.

Demo 2 – Implementing security

Moving an encrypted DB (column level)

Sometimes there is a need to move the database to a new server

Keys that were encrypted by password can be used immediately

Before using keys that are managed by SQL Server, we need to modify the database master key

16

Demo 3 – Moving the database to adifferent instance

17

Transparent database encryption

TDE can be done only on SQL Server 2008 Enterprise edition

Before configuring TDE we have to create asymmetric keys or certificate Create a database encryption key

It is important to backup the all the certificates and keys that were used to configure the TDE

After we created the database encryption key we need to run alter database statement

While the database is being encrypted, users can still work with it

We can monitor encryption’s progress with sys.dm_database_encryption_keys

Demo 4 – Using TDE

06:34:00 PM

Thank you for listening

adic@srl.co.il