Scribd
Upload
19 views

Encryption

Uploaded by

liu001shin
Copyright
© © All Rights Reserved
Available Formats
Download as PPSX, PDF, TXT or read online on Scribd
19 views

Encryption

Uploaded by

liu001shin
Copyright
© © All Rights Reserved
Available Formats
Download as PPSX, PDF, TXT or read online on Scribd
You are on page 1/ 19

Created by:

SQL Server
Robert Stewart

Last Updated:
August 18, 2020
Encryption
Course:
SQL710
Encryption
Protecting your data from illegal access should be a TOP priority for any DBA in today’s
environment. Implementing a firewall and access privileges are not sufficient to protect your data.
As can be seen from the daily news of data breaches from companies around the world it is
imperative to protect the data from illegal breaches that occur from behind the firewall.
Encryption

A multi tier approach to security is needed – Firewalls, User Privileges, Physical Access, and
Encryption (database level, transmission level, and backups).
Encryption at Rest
Database Level Encryption – Transparent Data Encryption

• proper keys are needed to decipher database contents

• client and/or server applications are unaware of the encryption

• uses symmetric keys in combination with asymmetric keys


Encryption
• encrypted at the page level
TDE
• data file, log files, tempdb, and backup files are all encrypted

• does not increase the size of the database

• approximately a 3-5% performance hit


1. Create a master key

2. Create or obtain a certificate protected by the master key


Encryption
TDE 3. Create a database encryption key and protect it by the certificate

4. Set the database to use encryption


USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>';
go
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate';
go
USE AdventureWorks2012;
Encryption GO
TDE CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;
GO
ALTER DATABASE AdventureWorks2012
SET ENCRYPTION ON;
GO
Encryption
TDE
Backup files of databases that have TDE enabled are also encrypted by using the database
encryption key.

As a result, when you restore these backups, the certificate protecting the database encryption key
must be available.
Encryption
TDE This means that in addition to backing up the database, you have to make sure that you maintain
backups of the server certificates to prevent data loss.

Data loss will result if the certificate is no longer available


Encryption in Transit
• Secure Sockets Layer encrypts traffic to and from the SQL Server instance and the client
o newer versions of SQL Server use Transport Layer Security (TLS)

• client can validate the server’s identity by using the server’s certificate
o can be obtained from a certificate authority (CA)
o or Windows Server can create the certificate
Encryption  these self signed certificates are not as secure as a CA and should not be used on
SSL/TLS publicly exposed databases

• name of the certificate must be the fully qualified domain name (FQDN) of the computer

• Certificates are stored locally for the users on the client computer

• client must be able to verify the ownership of the certificate used by the server
• An extra network roundtrip is required at connect time

• Packets sent from the application to the instance of SQL Server must be encrypted by
the client TLS stack and decrypted by the server TLS stack
Encryption
SSL/TLS • Packets sent from the instance of SQL Server to the application must be encrypted by
the server TLS stack and decrypted by the client TLS stack
• SQL Server also supports Internet Protocol Security (IPSec)

• IPSec is provided by the client and server operating systems


Encryption and requires no SQL Server configuration
IPSec
Always Encrypted
• basically a column level encryption mechanism

• encrypts column data at rest, in server memory, and in transit

• only client has access to column data

Encryption • the client does the encryption and decryption


Always o Always Encrypted-enabled driver
Encrypted

• only equality comparison queries supported

• uses the concept of a key store


o client application needs access to this store
• Server Side actions
o cannot copy data from one column to another (if one or
more columns is encrypted)
Encryption  update, bulk insert, select into, insert
Always
Encrypted
Limitations
The Database Engine never operates on plaintext data stored in
encrypted columns, but it still supports some queries on encrypted data,
depending on the encryption type for the column. Always Encrypted
Encryption
Always supports two types of encryption: randomized encryption and
Encrypted deterministic encryption
Types of
Encryption
• always generates the same encrypted value for any given plain text
value

• allows point lookups, equality joins, grouping and indexing on encrypted


Encryption columns
Always
Encrypted
Deterministic • it may allow unauthorized users to guess information about encrypted
values by examining patterns in the encrypted column especially if
there's a small set of possible encrypted values, such as True/False, or
North/South/East/West region
• uses a method that encrypts data in a less predictable manner

• is more secure

Encryption • prevents searching, grouping, indexing, and joining on encrypted


Always
columns
Encrypted
Randomized

You might also like