Transparent Data Encryption for the BIS workspace in SQL Server (Bathymetry Solution)

You can take several precautions to help secure the database, such as designing a secure system, encrypting confidential assets, and building a firewall around the database servers. However, in a scenario where the physical media (such as drives or backup tapes) are stolen, a malicious party can restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned in advance.

TDE performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module. TDE protects data at rest, meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries. This enables software developers to encrypt data by using AES and 3DES encryption algorithms without changing existing applications.

Encryption of the database file is performed at the page level. The pages in an encrypted database are encrypted before they are written to disk and decrypted when read into memory. TDE does not increase the size of the encrypted database.

The benefits of using TDE are the following:

For more information, see Transparent Data Encryption (TDE) in the MSDN library.

To use TDE, follow these steps in SQL Server Management Studio.

Steps:
  1. Create a master key.
  2. Create or obtain a certificate protected by the master key.
  3. Create a database encryption key and protect it by the certificate.
  4. Set the database to use encryption.

Example of TDE

You can use the SQL commands below to configure TDE. You can choose the password for the master key, and when backing up the master key, you can choose the folder and file name.

NoteNote:

Copying and pasting the example may cause syntax errors.

USE master
GO
/* Verify master key */
SELECT * FROM sys.symmetric_keys WHERE name LIKE '%MS_DatabaseMasterKey%'
GO

/* if there are no records found, then it means there was no predefined Master Key. 
 To create a Master Key, you can execute the below mentioned TSQL code. */
 
/* Create master key */
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'bis$$@admin';
GO
/* Backup master key */
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'bis$$@admin';
GO
BACKUP MASTER KEY TO FILE = 'D:\mssqlbackup\master\masterkey.mk' 
    ENCRYPTION BY PASSWORD = 'bis$$@admin';
GO

/* Create Certificate */
CREATE CERTIFICATE bis_cert WITH SUBJECT = 'BIS Server Certificate';
GO

/* Verify Certificate */
SELECT * FROM sys.certificates where [name] = 'bis_cert'
GO

/* Backup certificate */
BACKUP CERTIFICATE bis_cert TO FILE = 'D:\mssqlbackup\master\bis.cer'
   WITH PRIVATE KEY (
         FILE = 'D:\mssqlbackup\master\bis.pvk',
         ENCRYPTION BY PASSWORD = 'bis$$@admin');
GO

--use bis database
USE bisdb
GO
/* Create Encryption key */
CREATE DATABASE ENCRYPTION KEY
   WITH ALGORITHM = AES_256
   ENCRYPTION BY SERVER CERTIFICATE bis_cert;
GO

/* Encrypt database */
ALTER DATABASE bisdb SET ENCRYPTION ON;
GO

/* Verify Encryption */
SELECT 
DB_NAME(database_id) AS DatabaseName
,Encryption_State AS EncryptionState
,key_algorithm AS Algorithm
,key_length AS KeyLength
FROM sys.dm_database_encryption_keys
GO
SELECT 
NAME AS DatabaseName
,IS_ENCRYPTED AS IsEncrypted 
FROM sys.databases where name ='bisdb'
GO
3/3/2014