The following illustration shows the architecture of TDE encryption. A new key, used only for TDE and referred to as the database encryption key (DEK), is created and stored in the user database. When you use TDE, the DMK and certificate must be stored in the master database. TDE uses a similar hierarchy down to the certificate. These keys, in turn, protect symmetric keys, which protect the data. The SMK protects the database master key (DMK), which is stored at the user database level and protects certificates and asymmetric keys. The Windows Data Protection API (DPAPI) is at the root of the encryption tree, secures the key hierarchy at the machine level, and is used to protect the service master key (SMK) for the database server instance. You can still use a certificate that exceeds its expiration date to encrypt and decrypt data with TDE. You also might need the certificate for some operations until you do a full database backup. Although the database isn't encrypted, parts of the transaction log might remain protected. Keep the encrypting certificate even if you've disabled TDE on the database. If the certificate becomes unavailable, or if you restore or attach the database on another server, you need backups of the certificate and private key. For more information about certificates, see SQL Server Certificates and Asymmetric Keys.Īfter you enable TDE, immediately back up the certificate and its associated private key. Information applicable to SQL ServerĪfter you secure a database, you can restore it by using the correct certificate. ![]() For more information on using TDE with SQL Database, see transparent data encryption with Azure SQL Database. To move a TDE database on SQL Database, you don't have to decrypt the database for the move operation. When you use TDE with Azure SQL Database, SQL Database automatically creates the server-level certificate stored in the master database. TDE doesn't increase the size of the encrypted database. The pages in an encrypted database are encrypted before they're written to disk and are decrypted when read into memory.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |