[Prior Post in Series]
In Part 1 of this 2 part Mini-Lab series we looked at setting up TDE (Transparent Data Encryption) for a database and backing it up. In Part 2 we're going to discuss restoring a database (that has TDE enabled) to a different instance as well as disabling and removing TDE if desired.
RESTORING AN ENCRYPTED BACKUP TO A DIFFERENT INSTANCE
In Part 1 we backed up our TDE_TEST Database to a backup file called TDE_TEST_Encrypted.BAK. Now let's try and restore that database using a standard restore statement to a different instance:
USE MASTERGORESTORE DATABASE TDE_TEST FROM DISK = '<<BACKUP PATH>>\TDE_TEST_Encrypted.BAK' WITH MOVE 'TDE_TEST' TO '<<DATA PATH>>\TDE_TEST.mdf', MOVE 'TDE_TEST_log' TO '<<LOG PATH>>\TDE_TEST.ldf'GO
We get the following error message:
Msg 33111, Level 16, State 3, Line 1Cannot find server certificate with thumbprint '0xF1BD42D532117FG5407P48C7Z4TT97D6C2FFBD82'.Msg 3013, Level 16, State 1, Line 1RESTORE DATABASE is terminating abnormally.
The problem here is that we need to create the server certificate on the new instance that was used to secure our database encryption key. Remember in Part 1 of this series when we backed up our certificate? On the new instance (the instance we want to restore the backup to) we need to:
CREATE A DATABASE MASTER KEY
USE masterGOCREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Sup3rm@n'
CREATE A TRANSPARENT DATA ENCRYPTION CERTIFICATE FROM THE BACKUP
CREATE CERTIFICATE TDECertificateFROM FILE = '<<BACKUP PATH>>\TDECertificate' WITH PRIVATE KEY (FILE = '<<BACKUP PATH>>\TDECertificatePrivateKey', DECRYPTION BY PASSWORD = 'Sup3rm@n' ) GO
Now that we have the server certificate that was used for TDE for the backup of the TDE_TEST database on the instance that we want to restore to we can restore from the backup file.
HOW TO DISABLE TDE
Disabling Transparent Data Encryption on a database is done by executing the following statement:
ALTER DATABASE TDE_TEST SET ENCRYPTION OFF
In doing this we've disabled TDE for the user database TDE_TEST but once TDE is enabled on a database on an instance the tempdb system database for that instance will be encrypted as well. In order for tempdb to NOT be encrypted all user database must have TDE disabled and the SQL Server service will need to be restarted.
HOW TO REMOVE TDE
Removing Transparent Data Encryption on a database is done by executing the following statement:
USE TDE_TESTGODROP DATABASE ENCRYPTION KEY
HOW TO CHECK IF TDE IS ENABLED
If you want to validate that TDE is either enabled or disabled for a particular database you can execute the following statement:
SELECT name, is_encrypted FROM sys.databasesWHERE name = '<<DATABASE NAME>>'
There are many ways to try and protect your database but until now it wasn't as easy to protect the physical media (such as drives or backup tapes). With the use of SQL Server 2008 and Transparent Data Encryption this media is now useless to anyone without the keys.
What would it mean to you and your business if a hacker or a competitor had access to your database?
Please read the Temenos T24 Core Banking Optimized on Microsoft SQL Server Database Platform whitepaper for more information.
Follow Tier1OnSQL on Twitter