This post demonstrates the use of Transparent Data Encryption (TDE) to protect database files including backups. To understand how this features can be employed to improve the security of database applications, please review this post.
The first step in the demonstration is to create an empty database which will be encrypted with TDE in a later step:
USE master;GO
IF EXISTS (SELECT * FROM sys.databases WHERE name = 'TdeDemo') DROP DATABASE TdeDemo;GO
CREATE DATABASE TdeDemo;GO
Next, create the server-level certificate which will protect the database key used to encrypt the database's files. This certificate in turn will be protected by the master key which if it does not exist will need to be created:
IF NOT EXISTS(SELECT * FROM sys.symmetric_keys WHERE name LIKE '%[_]DatabaseMasterKey%') BEGIN CREATE MASTER KEY ENCRYPTION BY PASSWORD = '997jkhUbhk$w4ez0876hKHJH5gh';ENDGO
CREATE CERTIFICATE MyTdeCert WITH SUBJECT = 'My TDE Certificate';GO
With the server-level components in place, the database can now be encrypted. This is done by first creating the database (symmetric) encryption key within the database and then enabling TDE:
USE TdeDemo;GO
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE MyTdeCert;GO
ALTER DATABASE TdeDemo SET ENCRYPTION ON;GO
Database encryption may take a while to complete. While in progress, the sys.dm_database_encryption_keys data management view will show the database in an encryption_state of 2:
SELECT DB_NAME(database_id) as DB,encryption_state FROM sys.dm_database_encryption_keys WHERE database_id=DB_ID();GO
DB encryption_state-------- ----------------TdeDemo 2
(1 row(s) affected)
Once TDE encryption has been fully applied, the encryption_state will become 3:
DB encryption_state-------- ----------------TdeDemo 3
Now to demonstrate the protection of database backup files through TDE, backup the database and its certificate. Please note that these are being backed up locally to the same location. This is not a secure practice but is expediant for this demo:
BACKUP CERTIFICATE MyTdeCert TO FILE = 'c:\temp\MyTdeCert' WITH PRIVATE KEY ( FILE = 'c:\temp\MyTdeCertPrivateKey', ENCRYPTION BY PASSWORD = '997jkhUbhk$w4ez0876hKHJH5gh' );GO
BACKUP DATABASE TdeDemo TO DISK = 'c:\temp\TdeDemo.bak' WITH INIT;GO
By dropping the database and the server-level certificate, we can simulate a restore to a different server:
DROP DATABASE TdeDemo;GO
DROP CERTIFICATE MyTdeCert;GO
With the certificate missing, the restore operation will fail:
RESTORE DATABASE TdeDemo FROM DISK = 'C:\temp\TdeDemo.bak';GO
Msg 33111, Level 16, State 3, Line 1Cannot find server certificate with thumbprint '0x686A8264E4A17572FBAE6A1D091A47D600847FB6'.Msg 3013, Level 16, State 1, Line 1RESTORE DATABASE is terminating abnormally.
It's not until the certificate is recovered to the server that the backup file can be restored:
CREATE CERTIFICATE MyTdeCert FROM FILE = 'c:\temp\MyTdeCert' WITH PRIVATE KEY ( FILE = 'c:\temp\MyTdeCertPrivateKey', DECRYPTION BY PASSWORD = '997jkhUbhk$w4ez0876hKHJH5gh' );GO
Processed 168 pages for database 'TdeDemo', file 'TdeDemo' on file 1.Processed 2 pages for database 'TdeDemo', file 'TdeDemo_log' on file 1.RESTORE DATABASE successfully processed 170 pages in 0.157 seconds (8.415 MB/sec).
To reset the environment: