• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
SQL Server Encryption - Adi Cohn

SQL Server Encryption - Adi Cohn






Total Views
Views on SlideShare
Embed Views



2 Embeds 15

http://www.sqlserver.co.il 8
http://www.slideshare.net 7



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    SQL Server Encryption - Adi Cohn SQL Server Encryption - Adi Cohn Presentation Transcript

    • Adi Cohn - SRL Group Encryption with SQL Server 2008
    • Agenda
      • Types of encryptions and there uses
      • Price of encryption
      • Basic terms
      • Key management types
      • Encryption and permissions
      • Restoring database to a different server
      • Working with TDE
    • Types of encryption
      • SQL Server 2008 supports 2 completely different types of encryptions:
        • Cell level encryption – Encrypts part of the data
        • DB level encryption – Encrypts the whole DB
    • Cell level Encryption
      • The encryption is “statement based”. The insert/update statements are responsible to encrypt the data and select statement has to decrypt the data.
      • Any application that works with the database has to be designed to work with the encryption and decryption mechanism
      • The developers and the DBA have many options to choose from and lots of control over the encryption mechanism
    • Database level encryption
      • The whole database is encrypted.
      • The encryption and decryption is transparent to the applications.
      • Used to protect from file theft (data or backup), log shipping or mirroring
      • DBA and developers don’t have many configuration options and control on the encryption process.
    • “ Price” of encryption
      • Encryption and decryption adds more CPU usage
      • Encrypted data takes much more disk space then the original data
      • SQL Server can not use index seek on encrypted data.
    • Basic terms
      • Encryption – Conversion of clear data into scrambled data that has to be modified in order to make scenes. The encrypted data also referred as chipertext.
      • Decryption – Transforming of the encrypted data into its original state. Decrypted data also referred as cleartext.
    • Basic terms
      • Key – The mechanism that is used in order encrypt and decrypt the data.
        • Symmetric key – The same key is used for encrypting and decrypting the data (also known as shared key).
        • Asymmetric key – Different keys are used to encrypt or decrypt the data (Also known as private and public keys).
      • Symmetric mechanism works faster then asymmetric mechanism, but is considered a weaker mechanism then asymmetric mechanism.
    • Basic terms
      • Certificate – An electronic document that contains asymmetric keys with identifying information about its owner and the CA that issued the certificate
    • Key management
      • SQL Server uses 3 types of key management:
        • External key management – SQL Server 2008 introduced the ability to use an external application to manage the keys.
        • Encrypt by password – The user supplies a password for key generating, and the keys are managed independently
        • SQL internal hierarchical mechanism – There are few layers of key management that are structured as hierarchy. Each key is depended on a key in a layer above
    • Encryption hierarchy
    • 4 Ways to encrypt and decrypt the data
      • SQL Server suports 4 mechanisim to encrypt data:
        • Encryption by PassPhrase
        • Encryption by symmetric key
        • Encryption by asymmetric key
        • Encryption by certificates
    • Demo1 encrypting and decrypting columns
    • Security Considerations
      • In reality unlike in the demo, there are security considerations. Users need to get permissions to use the keys.
      • Unfortunately there isn’t a direct way to grant permission only to encrypt andor decrypt the data
      • In order to limit the usage of the keys we’ll need to implement our own code.
    • Demo 2 – Implementing security
    • Moving an encrypted DB (column level)
      • Sometimes there is a need to move the database to a new server
      • Keys that were encrypted by password can be used immediately
      • Before using keys that are managed by SQL Server, we need to modify the database master key
    • Demo 3 – Moving the database to a different instance
    • Transparent database encryption
      • TDE can be done only on SQL Server 2008 Enterprise edition
      • Before configuring TDE we have to
        • create asymmetric keys or certificate
        • Create a database encryption key
      • It is important to backup the all the certificates and keys that were used to configure the TDE
      • After we created the database encryption key we need to run alter database statement
      • While the database is being encrypted, users can still work with it
      • We can monitor encryption’s progress with sys.dm_database_encryption_keys
    • Demo 4 – Using TDE
    • Thank you for listening [email_address]