SQL Server Encryption - Adi Cohn
-
Upload
sqlservercoil -
Category
Technology
-
view
2.857 -
download
2
description
Transcript of SQL Server Encryption - Adi Cohn
![Page 1: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/1.jpg)
06:34:00 PM
Adi Cohn - SRL Group
Encryption with SQL Encryption with SQL
Server 2008Server 2008
![Page 2: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/2.jpg)
Agenda
Types of encryptions and there uses
Price of encryption
Basic terms
Key management types
Encryption and permissions
Restoring database to a different server
Working with TDE
![Page 3: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/3.jpg)
Types of encryption
SQL Server 2008 supports 2 completely different types of encryptions:
Cell level encryption – Encrypts part of the data DB level encryption – Encrypts the whole DB
![Page 4: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/4.jpg)
Cell level Encryption
The encryption is “statement based”. The insert/update statements are responsible to encrypt the data and select statement has to decrypt the data.
Any application that works with the database has to be designed to work with the encryption and decryption mechanism
The developers and the DBA have many options to choose from and lots of control over the encryption mechanism
![Page 5: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/5.jpg)
Database level encryption
The whole database is encrypted. The encryption and decryption is transparent to
the applications. Used to protect from file theft (data or backup),
log shipping or mirroring DBA and developers don’t have many
configuration options and control on the encryption process.
![Page 6: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/6.jpg)
“Price” of encryption
Encryption and decryption adds more CPU usage
Encrypted data takes much more disk space then the original data
SQL Server can not use index seek on encrypted data.
6
![Page 7: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/7.jpg)
Basic terms
Encryption – Conversion of clear data into scrambled data that has to be modified in order to make scenes. The encrypted data also referred as chipertext.
Decryption – Transforming of the encrypted data into its original state. Decrypted data also referred as cleartext.
![Page 8: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/8.jpg)
Basic terms
Key – The mechanism that is used in order encrypt and decrypt the data.
Symmetric key – The same key is used for encrypting and decrypting the data (also known as shared key).
Asymmetric key – Different keys are used to encrypt or decrypt the data (Also known as private and public keys).
Symmetric mechanism works faster then asymmetric mechanism, but is considered a weaker mechanism then asymmetric mechanism.
![Page 9: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/9.jpg)
Basic terms
Certificate – An electronic document that contains asymmetric keys with identifying information about its owner and the CA that issued the certificate
![Page 10: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/10.jpg)
Key management
SQL Server uses 3 types of key management: External key management – SQL Server 2008
introduced the ability to use an external application to manage the keys.
Encrypt by password – The user supplies a password for key generating, and the keys are managed independently
SQL internal hierarchical mechanism – There are few layers of key management that are structured as hierarchy. Each key is depended on a key in a layer above
![Page 11: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/11.jpg)
Encryption hierarchy
![Page 12: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/12.jpg)
4 Ways to encrypt and decrypt the data
SQL Server suports 4 mechanisim to encrypt data:
Encryption by PassPhrase Encryption by symmetric key Encryption by asymmetric key Encryption by certificates
![Page 13: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/13.jpg)
Demo1 encrypting and decrypting columns
![Page 14: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/14.jpg)
Security Considerations
In reality unlike in the demo, there are security considerations. Users need to get permissions to use the keys.
Unfortunately there isn’t a direct way to grant permission only to encrypt and\or decrypt the data
In order to limit the usage of the keys we’ll need to implement our own code.
![Page 15: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/15.jpg)
Demo 2 – Implementing security
![Page 16: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/16.jpg)
Moving an encrypted DB (column level)
Sometimes there is a need to move the database to a new server
Keys that were encrypted by password can be used immediately
Before using keys that are managed by SQL Server, we need to modify the database master key
16
![Page 17: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/17.jpg)
Demo 3 – Moving the database to adifferent instance
17
![Page 18: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/18.jpg)
Transparent database encryption
TDE can be done only on SQL Server 2008 Enterprise edition
Before configuring TDE we have to create asymmetric keys or certificate Create a database encryption key
It is important to backup the all the certificates and keys that were used to configure the TDE
![Page 19: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/19.jpg)
After we created the database encryption key we need to run alter database statement
While the database is being encrypted, users can still work with it
We can monitor encryption’s progress with sys.dm_database_encryption_keys
![Page 20: SQL Server Encryption - Adi Cohn](https://reader033.fdocuments.net/reader033/viewer/2022061202/547b28dbb4795995098b4cb6/html5/thumbnails/20.jpg)
Demo 4 – Using TDE