172 Chapter5•ManagingDataEncryption Requirements The SQL Server 2008 Enterprise and Developer editions only support TDE. TDE-encrypted databases cannot be attached/used by other editions. Enabling TDE The steps to enable TDE on a database consist of the following: 1. Creating a service master key at the database instance. 2. Creating a database master key and associated certificate in the master database. 3. Creating a database encryption key in the user database to be encrypted. 4. Setting the user database to use the encryption. Before describing the mechanics of creating the components of the TDE, let’s review the SQL Server 2008 cryptography scheme. At its core TDE uses the Windows Data Protection application program interface (API) to encrypt and decrypt keys and data. In Microsoft Window 2000, the Data Protection API (DPAPI) was introduced to encrypt and decrypt data. Since SQL Server 2005, DPAPI is used to generate a key for the database instance, also known as the service master key (SMK). At the time the database instance is created, the SMK is generated by using the DPAPI functions and the Windows credentials of the SQL Server service account. The SMK is then encrypted using local machine credentials. The SMK can only be decrypted by the service account used during the SQL Server setup processing at installation or by an account that has access to the SQL Server service account’s Windows credentials or belongs to the same security group. The SMK is used to encrypt and decrypt all other keys within the SQL Server instance. Table 5.1 describes the key hierarchy in TDE to enable the encryption of a user database. ManagingDataEncryption•Chapter5 173 Table 5.1 The Hierarchy in TDE Step SQL Server Key Dec SQL Command 1 Service master key (SMK) Created by SQL Server at the time of setup, the SMK is encrypted using Windows Operating System’s Data Protection API (DPAPI) and the local computer key that is derived from the Windows credentials of the SQL Server service account and the computer BACKUP SERVICE MASTER KEY TO FILE = '<complete path and filename>' ENCRYPTION BY PASSWORD = '<password>'; 2 Master database’s database master key (DMK) and certificate The DMK is created and stored in the master database. The DMK is a symmetric key used to protect the private keys of certificates and asymmetric keys that are present in the database. When it is created, the DMK is encrypted by using the Triple Data Encryption Standard (DES) algorithm and a user-supplied password. Please note it is best practice to back up the DMK in a safe location. USE master GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘some password’; CREATE CERTIFICATE tdeCert WITH SUBJECT = ‘TDE Certificate’; BACKUP CERTIFICATE tdeCert TO FILE = ‘path_to_ file’ WITH PRIVATE KEY (FILE = ‘path_to_ private_key_file’, ENCRYPTION BY PASSWORD = ‘ TDE cert p@sswurd’); Continued 174 Chapter5•ManagingDataEncryption Step SQL Server Key Dec SQL Command 3 Database encryption key (DEK) The DEK is stored in the boot record of the encrypted database and is created by using the DMK certificate. CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE tdeCert Table 5.1 Continued. The Hierarchy in TDE TDE encrypts the data and log files using the database encryption key (DEK) and the specified encryption algorithm defined for the target TDE database. The complexity of encryption in TDE arises from the SQL Server encryption hierarchy to create and use the DEK as well as the specified encryption algorithm. SQL Server supports a number of encryption algorithms including 3 Key Triple DES, AES with 128-bit, 192-bit or 256-bit key. The definition or best practices of encryption keys are beyond the scope of this book, but as a general rule strong encryption algorithms require more CPU resources and in generally are slower. Configuring & Implementing… Backup Service Master Key Creating a backup of the SMK is the first activity that should be done after an SQL Server installation. The SMK backup should be stored in a secure, off-site location. It’s important to protect and have a backup of the SMK, as it’s the “Master Key” to encryption for the SQL database. BACKUP SERVICE MASTER KEY TO FILE = '<pathname>\<filename>' ENCRYPTION BY 'password' Continued ManagingDataEncryption•Chapter5 175 Note that the password specified in the T-SQL commands are subject to password complexity checks. The complexity checks include the following: Must be eight characters long with a maximum of 128 characters  Does not contain all or part of the user account name  Contains characters from three of the following:  Uppercase Latin letter (A thru Z) Lower case Latin letters (a thru z) Numeric digits 0 thru 9 Non-alphanumeric characters: ! (exclamation point), $ (dollar sign), # number sign, % (percent sign). How Data Is Encrypted Using the DEK and encryption algorithm, TDE encrypts the database files at the database page level. Before the data page is written to disk, each page is encrypted and decrypted when the page is read into memory. The page is encrypted and decrypted using the DEK. When TDE is enabled for a database, the is_crypted column in the sys.databases view is changed to 1, indicating the database is set for encryption. The encryption scan process then starts and scans all the database files associated to the database and encrypts the database files using the specified encryption algorithm specified when creating the DEK. The encryption process takes a shared lock on the database and encrypts each page in the specified database. During this process, detaching the database or file structure changes is denied. Data existing in the log file is not encrypted. Entries in the log file are encrypted entries after the encryption process is complete. Once the database encryption is complete, all database encryption and decryption is performed in memory. Each page is decrypted when the page is read into memory and each page is encrypted before the data page is written to disk. The page is encrypted and decrypted using the DEK. Encryption Keys Keys are the basis of cryptography, the science of obfuscating/hiding information. There are two types of keys used in SQL Server for encryption, symmetric and asymmetric. 176 Chapter5•ManagingDataEncryption Symmetric keys use the same password to encrypt and decrypt data, whereas asymmetric keys use one password (public key) to encrypt the data and another (private key) to decrypt the data. While the symmetric key processing is faster than asymmetric keys, the limitation is that using the same password for encryption and decryption is not as secure as asymmetric keys. Certificates and asymmetric keys are both used in asymmetric encryption. A certificate, also known as public key certificate, is a digital object that binds a digital signature to a person or organization. Certificates are generally used to identify a person or organization. In other words, a certificate is an electronic form of an id card. Often used as containers for asymmetric keys, certificates have addition attributes such as issuer and expiration information as specified in the Internet Engineering Task Force (IETF) X.509v3 standard. Within SQL Server 2008, certificates provide several purposes. Certificates can be used for the following tasks: To encrypt connections and data transmitted across a network between  SQL Server and a client application To support database mirroring  To encrypt Service broker conversations  To sign Integration services packages to sign the source.  Certificates in SQL Server are securable objects, meaning permissions can be granted or denied to them, just as with tables and views. SQL Server can use internally generated certificates or externally generated ones. Key Management Key management provides the ability to: Create new database keys  Back up and restore server and database keys  Restore, delete, and change keys.  By default, TDE locally stores all encryption keys with SQL Server, and provides the ability to export keys to files to be archived. As more information is encrypted, the management of these keys becomes challenging. External key management (EKM), new in SQL Server 2008, provides organizations with hardware-based security modules (HSM) or external software . in the user database to be encrypted. 4. Setting the user database to use the encryption. Before describing the mechanics of creating the components of the TDE, let’s review the SQL Server 2008. using the DPAPI functions and the Windows credentials of the SQL Server service account. The SMK is then encrypted using local machine credentials. The SMK can only be decrypted by the service. for the target TDE database. The complexity of encryption in TDE arises from the SQL Server encryption hierarchy to create and use the DEK as well as the specified encryption algorithm. SQL Server