1. A n I n t r o d u c t i o n To
Presented By
John Magnabosco
Database Consultant/Solution Architect – SolutionAvenue
President/Co-Founder - Indianapolis Professional Association for SQL Server
Coordinator/Co-Founder – IndyTechFest
E-Mail: john_magnabosco@live.com
2. Today’s Presentation
1. What is TDE?
2. Key Architecture of TDE
3. How to Implement TDE
4. Backup Considerations with TDE
5. Restore with TDE
6. Interesting Tid-Bits of TDE
An Introduction To
3. What is Transparent Data Encryption (TDE)?
• A new feature of SQL Server 2008 Enterprise Edition
• Encrypts of physical files of a database
• Designed to protect “data at rest”
• Does not require explicit opening/closing of keys
• No schema modifications required to implement
An Introduction To
5. Key Architecture of TDE
SQL Server Instance Master Database User Database
Service Master Key Database Master Key Database Encryption Key
Certificate Physical Database Files
An Introduction To
6. How To Implement TDE
• Backup the unencrypted user database
• Create a Database Master Key in the Master database
• Create a Certificate in the Master database
• Create a Database Encryption Key in the user database
• Set Encryption to ON in the user database
• Backup Keys, Certificate and user database
An Introduction To
9. Backup of TDE Databases
• Backup user database
• Backup Service Master Key
• Backup Database Master Key in Master database
• Backup Certificate in Master database
• Database Encryption Key is backed up with database
• Store backup of db and keys in separate locations
An Introduction To
10. Restore of TDE Databases
• Restore Service Master Key if needed
• Restore Database Master Key in Master database
• Alter DMK’s “Encrypted By” to Service Master Key
• Restore Certificate in Master database
• Restore the user database
An Introduction To
12. Interesting Tid-Bits
• TempDB is also encrypted
• Transaction log is advanced to next virtual log
• TDE must be enabled on the publisher and subscriber
• Compression is not recommended with TDE
• Full-Text Indexes not recommended with TDE
• Both databases used in mirroring will be encrypted
An Introduction To
13. In Summary
• TDE encrypts physical files of a database
• Designed to protect “data at rest”
• The Database Encryption Key is used with TDE
• Implementation includes the MASTER database
• Backup the keys separately from the database(s)
• TempDB is encrypted with TDE is implemented
An Introduction To
15. Additional TDE Resources:
MSDN: Understanding TDE (Article)
http://msdn.microsoft.com/en-us/library/bb934049.aspx
My Blog: Check out my series on TDE
http://www.simple-talk.com/community/blogs/johnm/default.aspx
Additional General Encryption Resources:
MSDN: SQL Server Encryption
http://msdn.microsoft.com/en-us/library/bb510663.aspx
Have More Questions?
My E-Mail: john_magnabosco@live.com
An Introduction To