SQL Server Encryption - Adi Cohn


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SQL Server Encryption - Adi Cohn

  1. 1. Adi Cohn - SRL Group Encryption with SQL Server 2008
  2. 2. Agenda <ul><li>Types of encryptions and there uses </li></ul><ul><li>Price of encryption </li></ul><ul><li>Basic terms </li></ul><ul><li>Key management types </li></ul><ul><li>Encryption and permissions </li></ul><ul><li>Restoring database to a different server </li></ul><ul><li>Working with TDE </li></ul>
  3. 3. Types of encryption <ul><li>SQL Server 2008 supports 2 completely different types of encryptions: </li></ul><ul><ul><li>Cell level encryption – Encrypts part of the data </li></ul></ul><ul><ul><li>DB level encryption – Encrypts the whole DB </li></ul></ul>
  4. 4. Cell level Encryption <ul><li>The encryption is “statement based”. The insert/update statements are responsible to encrypt the data and select statement has to decrypt the data. </li></ul><ul><li>Any application that works with the database has to be designed to work with the encryption and decryption mechanism </li></ul><ul><li>The developers and the DBA have many options to choose from and lots of control over the encryption mechanism </li></ul>
  5. 5. Database level encryption <ul><li>The whole database is encrypted. </li></ul><ul><li>The encryption and decryption is transparent to the applications. </li></ul><ul><li>Used to protect from file theft (data or backup), log shipping or mirroring </li></ul><ul><li>DBA and developers don’t have many configuration options and control on the encryption process. </li></ul>
  6. 6. “ Price” of encryption <ul><li>Encryption and decryption adds more CPU usage </li></ul><ul><li>Encrypted data takes much more disk space then the original data </li></ul><ul><li>SQL Server can not use index seek on encrypted data. </li></ul>
  7. 7. Basic terms <ul><li>Encryption – Conversion of clear data into scrambled data that has to be modified in order to make scenes. The encrypted data also referred as chipertext. </li></ul><ul><li>Decryption – Transforming of the encrypted data into its original state. Decrypted data also referred as cleartext. </li></ul>
  8. 8. Basic terms <ul><li>Key – The mechanism that is used in order encrypt and decrypt the data. </li></ul><ul><ul><li>Symmetric key – The same key is used for encrypting and decrypting the data (also known as shared key). </li></ul></ul><ul><ul><li>Asymmetric key – Different keys are used to encrypt or decrypt the data (Also known as private and public keys). </li></ul></ul><ul><li>Symmetric mechanism works faster then asymmetric mechanism, but is considered a weaker mechanism then asymmetric mechanism. </li></ul>
  9. 9. Basic terms <ul><li>Certificate – An electronic document that contains asymmetric keys with identifying information about its owner and the CA that issued the certificate </li></ul>
  10. 10. Key management <ul><li>SQL Server uses 3 types of key management: </li></ul><ul><ul><li>External key management – SQL Server 2008 introduced the ability to use an external application to manage the keys. </li></ul></ul><ul><ul><li>Encrypt by password – The user supplies a password for key generating, and the keys are managed independently </li></ul></ul><ul><ul><li>SQL internal hierarchical mechanism – There are few layers of key management that are structured as hierarchy. Each key is depended on a key in a layer above </li></ul></ul>
  11. 11. Encryption hierarchy
  12. 12. 4 Ways to encrypt and decrypt the data <ul><li>SQL Server suports 4 mechanisim to encrypt data: </li></ul><ul><ul><li>Encryption by PassPhrase </li></ul></ul><ul><ul><li>Encryption by symmetric key </li></ul></ul><ul><ul><li>Encryption by asymmetric key </li></ul></ul><ul><ul><li>Encryption by certificates </li></ul></ul>
  13. 13. Demo1 encrypting and decrypting columns
  14. 14. Security Considerations <ul><li>In reality unlike in the demo, there are security considerations. Users need to get permissions to use the keys. </li></ul><ul><li>Unfortunately there isn’t a direct way to grant permission only to encrypt andor decrypt the data </li></ul><ul><li>In order to limit the usage of the keys we’ll need to implement our own code. </li></ul>
  15. 15. Demo 2 – Implementing security
  16. 16. Moving an encrypted DB (column level) <ul><li>Sometimes there is a need to move the database to a new server </li></ul><ul><li>Keys that were encrypted by password can be used immediately </li></ul><ul><li>Before using keys that are managed by SQL Server, we need to modify the database master key </li></ul>
  17. 17. Demo 3 – Moving the database to a different instance
  18. 18. Transparent database encryption <ul><li>TDE can be done only on SQL Server 2008 Enterprise edition </li></ul><ul><li>Before configuring TDE we have to </li></ul><ul><ul><li>create asymmetric keys or certificate </li></ul></ul><ul><ul><li>Create a database encryption key </li></ul></ul><ul><li>It is important to backup the all the certificates and keys that were used to configure the TDE </li></ul>
  19. 19. <ul><li>After we created the database encryption key we need to run alter database statement </li></ul><ul><li>While the database is being encrypted, users can still work with it </li></ul><ul><li>We can monitor encryption’s progress with sys.dm_database_encryption_keys </li></ul>
  20. 20. Demo 4 – Using TDE
  21. 21. Thank you for listening [email_address]