Setting up TDE:
There are a few steps to set up TDE for your SQL Server database(s):
- Create a Master Key (on the master database)
- Create a Certificate with the Master Key (on the master database, and back this certificate up)
- Create Database Encryption Key (on the database you want to use TDE on)
- Turn on encryption on the required database
- Repeat steps 3 & 4 for any other databases you require TDE for
SQL for these steps (taken from MSDN):
use master;gocreate master key encryption by password = '<UseStrongPasswordHere>';gocreate certificate MyServerCertwithsubject = 'My DEK Certificate';gouse AdventureWorks2012;gocreate database encryption keywith algorithm = aes_128encryption by server certificate MyServerCert;goalter database AdventureWorks2012 set encryption on;go
Moving a TDE Encrypted database:
If a database using TDE is required to be restored to another server, the following steps must be followed:
- Via Windows Explorer, copy TDE encrypted database, backup of server key and certificate to destination server
- Create database master key on destination server
- Recreate server certificate on destination server using backup from origin server
- Restore / attach TDE encypted database
Resources:
Recover database without database encryption key:
http://dba.stackexchange.com/questions/34753/can-i-recover-a-tde-certificate-by-restoring-the-master-database
http://dba.stackexchange.com/questions/34753/can-i-recover-a-tde-certificate-by-restoring-the-master-database
MSDN - set up / move TDE encrypted database: https://msdn.microsoft.com/en-gb/library/ff773063.aspx
No comments:
Post a Comment