gavin payne transparent data encryption the hows, whys and whens
Post on 20-Dec-2015
224 Views
Preview:
TRANSCRIPT
Gavin Payne
Transparent Data Encryption
The Hows, Whys and Whens
• Introduction to Encryption
• SQL Server Encryption Concepts
• Transparent Data Encryption
• Demo
• Considerations
Introduction
60 minutes
Gavin Payne
Solution Architect 3.5 yearsSQL Server DBA 10 years
SQL Bits 7SQL Server User GroupSQL Social
Blog http://blog.gavinpayneuk.comTwitter @GavinPayneUK
About Me
• We all have information we want to hide from others
To save embarrassmentTo keep trade secrets secretTo comply with regulatory compliance (e.g. PCI-
DSS)To comply with legal requirements (e.g. DPA)
• However:
Some people might actively try and steal dataSome people might accidentally find it
Why Encrypt?
• Plaintext
• Cipher
• Key
• Ciphertext
Simple Encryption ConceptsPlaintextABCDEF
CipherCiphertextNHYGFHLD
Key
PlaintextABCDEF
CipherCiphertextNHYGFHLD
Key
• Symmetric encryption
Where the same key is used to encrypt AND decrypt
Very fast but requires secure transport of the key
• Asymmetric encryption
Public key encryptionDifferent keys are used to encrypt and decryptEither key on its own is useless
Common Encryption Terms
PUBLICPUBLIC PRIVATE
PUBLIC PRIVATEPRIVATE
• Key
Must assume the cipher is known and available Key makes the execution of the cipher
unique
• Certificate
Confirms the owner of a public keyUsing a verifiable 3rd party digital
signature
Common Encryption Concepts
dhuiowe5 hvg5u84yv87905yv89y4789ny3v8924ytc79wdrnywgdrygsdfh
Why Is Database Encryption Needed?
Database Encryption Methods
Storage Hardware I/O controller encryption
File System EFS, BitLocker etc.
Database Physical Storage Transparent Data Encryption
Database Logical Storage SQL Server Column Encryption
Application Application Column Encryption
• SQL Server has a large internal encryption hierarchy
• Very flexible and self-sufficient
• All manageable via T-SQL
• Can hook into external encryption hardware
• Make sure you understand how to backup/restore!
SQL Server Encryption
• Common term also used by Oracle
• Transparent Data Encryption is new in SQL Server 2008
• Enterprise Edition only feature
• Designed to protect data against unauthorised access at rest (MDFs, LDFs and backups)
• You can steal my disks but not my data
What is TDE?
• Turnkey database storage encryption tool
• Transparent to applications and code
• Operates at the IO level within SQL Server
• A slight performance overhead (approx 6%)
• As dev’s strive to reduce database IO the effect of encryption is also reduced
What is TDE?
• Enterprise Edition feature suggests enterprise need
• Primarily financial services and healthcare
• But theft of any data is grabbing more headlines
• Delivers complete database storage encryption
• With a comprehensive management framework
When to use TDE
• System/Service Master Key
• Database Master Key
• Server Certificate
• Database Encryption Key
TDE Components
Demo
• Backup SMK
• Create a new user database
• Create DMK, cert, DEK
• Encrypt
• DMVs
• Backup and then restore elsewhere
Demo Summary
• Key and certificate management is crucial
• Backup compression benefits lost entirely
• Backup portability severely hampered
• IO overhead quoted at about 6%
• Tempdb gets encrypted for everyone
Things to be aware of
• Encryption is based upon ciphers and keys
• Nothing new in the database world
• Although such a turnkey and complete option is
• Key management within SQL Server is crucial
• Backups and tempdb get encrypted as well as
data
Summary
top related