Your SlideShare is downloading. ×
SQL Server Encryption - Adi Cohn
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SQL Server Encryption - Adi Cohn


Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Adi Cohn - SRL Group Encryption with SQL Server 2008
  • 2. Agenda
    • Types of encryptions and there uses
    • Price of encryption
    • Basic terms
    • Key management types
    • Encryption and permissions
    • Restoring database to a different server
    • Working with TDE
  • 3. Types of encryption
    • SQL Server 2008 supports 2 completely different types of encryptions:
      • Cell level encryption – Encrypts part of the data
      • DB level encryption – Encrypts the whole DB
  • 4. Cell level Encryption
    • The encryption is “statement based”. The insert/update statements are responsible to encrypt the data and select statement has to decrypt the data.
    • Any application that works with the database has to be designed to work with the encryption and decryption mechanism
    • The developers and the DBA have many options to choose from and lots of control over the encryption mechanism
  • 5. Database level encryption
    • The whole database is encrypted.
    • The encryption and decryption is transparent to the applications.
    • Used to protect from file theft (data or backup), log shipping or mirroring
    • DBA and developers don’t have many configuration options and control on the encryption process.
  • 6. “ Price” of encryption
    • Encryption and decryption adds more CPU usage
    • Encrypted data takes much more disk space then the original data
    • SQL Server can not use index seek on encrypted data.
  • 7. Basic terms
    • Encryption – Conversion of clear data into scrambled data that has to be modified in order to make scenes. The encrypted data also referred as chipertext.
    • Decryption – Transforming of the encrypted data into its original state. Decrypted data also referred as cleartext.
  • 8. Basic terms
    • Key – The mechanism that is used in order encrypt and decrypt the data.
      • Symmetric key – The same key is used for encrypting and decrypting the data (also known as shared key).
      • Asymmetric key – Different keys are used to encrypt or decrypt the data (Also known as private and public keys).
    • Symmetric mechanism works faster then asymmetric mechanism, but is considered a weaker mechanism then asymmetric mechanism.
  • 9. Basic terms
    • Certificate – An electronic document that contains asymmetric keys with identifying information about its owner and the CA that issued the certificate
  • 10. Key management
    • SQL Server uses 3 types of key management:
      • External key management – SQL Server 2008 introduced the ability to use an external application to manage the keys.
      • Encrypt by password – The user supplies a password for key generating, and the keys are managed independently
      • SQL internal hierarchical mechanism – There are few layers of key management that are structured as hierarchy. Each key is depended on a key in a layer above
  • 11. Encryption hierarchy
  • 12. 4 Ways to encrypt and decrypt the data
    • SQL Server suports 4 mechanisim to encrypt data:
      • Encryption by PassPhrase
      • Encryption by symmetric key
      • Encryption by asymmetric key
      • Encryption by certificates
  • 13. Demo1 encrypting and decrypting columns
  • 14. Security Considerations
    • In reality unlike in the demo, there are security considerations. Users need to get permissions to use the keys.
    • Unfortunately there isn’t a direct way to grant permission only to encrypt andor decrypt the data
    • In order to limit the usage of the keys we’ll need to implement our own code.
  • 15. Demo 2 – Implementing security
  • 16. Moving an encrypted DB (column level)
    • Sometimes there is a need to move the database to a new server
    • Keys that were encrypted by password can be used immediately
    • Before using keys that are managed by SQL Server, we need to modify the database master key
  • 17. Demo 3 – Moving the database to a different instance
  • 18. Transparent database encryption
    • TDE can be done only on SQL Server 2008 Enterprise edition
    • Before configuring TDE we have to
      • create asymmetric keys or certificate
      • Create a database encryption key
    • It is important to backup the all the certificates and keys that were used to configure the TDE
  • 19.
    • After we created the database encryption key we need to run alter database statement
    • While the database is being encrypted, users can still work with it
    • We can monitor encryption’s progress with sys.dm_database_encryption_keys
  • 20. Demo 4 – Using TDE
  • 21. Thank you for listening [email_address]