ManagingDataEncryption•Chapter5 187 Exam Objectives Frequently Asked Questions Q: What is DPAPI and how is it used in TDE architecture? A: DPAPI (Data Protection Application Programming Interface) is a set of cryptographic program interface introduced with Microsoft Windows 2000 and later Microsoft Windows operating systems. The API consists of two functions: CryptProtectData (used to encrypt data) and CryptUnprotectData (to decrypt data). DPAPI is the top level of the TDE encryption hierarchy and is used by SQL Server to protect the service master key (SMK) for the database instance. In TDE, the SMK is used to protect the next level of the SQL Server encryption hierarchy, specifically the database master key (DMK), and is stored in the master database. The last encryption level for TDE is the database encryption key (DEK). Using a certificate created for the DMK, the DEK is encrypted using the DMK certificate from the master database and then stored in the specified user database. Q: What is Transparent Data Encryption? A: Transparent Data Encryption (TDE) provides the ability to encrypt entire databases, data, and log files without the requirement of application changes and with minimal performance impact. Q: What edition of SQL Server is required to use TDE? A: TDE is only available on SQL Server 2008 Enterprise and Developer editions. Q: When is the Service Master Key created? A: The SMK is created during SQL Server setup of the instance. It uses the DPAPI and the SQL Server service credential to generate the SMK. Q: What is the Service Master Key used for? A: The SMK is at the core of SQL Server encryption. An SMK is generated on a SQL Server instance when an instance is first started. The SMK is used to encrypt various components on the database instance including linked server passwords, database master keys, and credentials. The SMK is encrypted by using the local computer. By default, the SMK is created by the Windows service account using the Windows data protection API and the local server key. 188 Chapter5•ManagingDataEncryption Q: Where are the certificates stored? A: By default all keys and certificates are stored in the SQL Server. With EKM and HSM vendors, keys can be stored outside of SQL Server. Q: What is the difference between cell- and column-level encryption? A: Cell- and column-level encryption require that the column to be encrypted in the table schema be stored as a varbinary object. The main difference between cell- and column-level encryption is that the expense of column-level encryption is magnified by the number of rows in the table. Managing Data Encryption • Chapter 5 189 Self Test 1. What level of protection does transparent data encryption (TDE) provide? A. Cell-level B. File-level C. Database-level D. Drive-level 2. Which of the following best describes transparent data encryption (TDE)? A. Data in specific columns is encrypted. B. Encrypts everything, such as indexes, stored procedures, functions, keys, etc, without sacrificing security or leaking information on the disk. C. Once data types have been changed to varbinary, everything will be encrypted. D. Once database schemas have been changed to accommodate data encryption, everything will be encrypted. 3. Which edition of SQL Server 2008 offers transparent data encryption (TDE)? A. SQL Server 2008 Express B. SQL Server 2008 Standard C. SQL Server 2998 Web D. SQL Server 2008 Enterprise 4. Which SQL Server permissions are required to enable transparent data encryption (TDE)? A. Permissions associated with creating the user database. B. Permissions associated with making server-level changes. C. Permissions associated with creating a database master key and certificate in the master database and control permissions on the user database. D. Permissions associated with the operating system administrator’s account. 5. The first step to enabling TDE on a database is to create a database master key (DMK). Which of the following is the correct syntax for creating a DMK? A. CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘somepassword’; 190 Chapter 5 • Managing Data Encryption B. ALTER DATABASE tdedatabase SET ENCRYPTION ON; C. CREATE CERTIFICATE tdeCert WITH SUBJECT = ‘tdeCertificate’; D. CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE tdeCert; 6. It is very important to back up the Certificate with the private key once it has been created and to copy it to a secure location other than on the server that it was created on. Which of the following is the correct syntax to back up a Certificate? A. CREATE CERTIFICATE tdeCert WITH SUBJECT = ‘tdeCertificate’; B. BACKUP CERTIFICATE tdeCert TO FILE = ‘path_to_file’ WITH PRIVATE KEY (FILE = ‘path_to_private_key_file’, ENCRYPTION BY PASSWORD = ‘cert password’); C. CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE tdeCert; D. ALTER DATABASE tdedatabase SET ENCRYPTION ON; 7. Which sys catalog view is used to monitor the progress of an encryption scan? A. Sys.configurations B. Sys.certificates C. Sys.key_encryptions D. Sys.dm_database_encryption_keys 8. When transparent data encryption (TDE) is enabled, which of the following system catalog views will the database show as encrypted? A. Sys.databases B. Sys.all_objects C. Sys.all_columns D. Sys.configurations 9. When transparent data encryption (TDE) is enabled, database backups are encrypted. If you cannot locate the associated Certificate and private key files, what happens to the data if you need to restore the encrypted database? A. Everything will be readable since the Certificate and private key can be recreated. Managing Data Encryption • Chapter 5 191 B. The data will not be readable since the Certificate and private key files are lost. C. Only encrypted columns will not be readable. D. Everything will be readable once the database encryption has been turned off in the master database. 10. In which edition of SQL Server 2008 is cell-level encryption available? A. Only in the Enterprise edition B. Only in the Web edition C. Only in the Workgroup edition D. All SQL Server 2008 editions 11. When using cell-level encryption which data type is required in order to encrypt the data? A. VARCHAR B. No special data type is necessary C. BINARY D. VARBINARY 12. What is the query performance impact when using cell-level encryption? A. There is a positive query performance impact since there are only specific columns that are encrypted. B. There is a negative query performance impact since data types have to be converted from varbinary to the correct data type and primary keys and indexes are not used, resulting in full table scans. C. There is a negative query performance impact unless TDE has been enabled. D. There is a positive query performance impact as long as TDE has been enabled. 13. Cell-level encryption is best used in which of the following? A. Performance sensitive situations B. All situations C. Limited access control through the use of passwords situations D. Situations when a password is not needed to access the encrypted data . edition of SQL Server 2008 offers transparent data encryption (TDE)? A. SQL Server 2008 Express B. SQL Server 2008 Standard C. SQL Server 2998 Web D. SQL Server 2008 Enterprise 4. Which SQL Server. is the Service Master Key created? A: The SMK is created during SQL Server setup of the instance. It uses the DPAPI and the SQL Server service credential to generate the SMK. Q: What is the. by SQL Server to protect the service master key (SMK) for the database instance. In TDE, the SMK is used to protect the next level of the SQL Server encryption hierarchy, specifically the database