TDE Setup and Administration Scripts

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » Article Discussions » Article Discussions by Author » Discuss content posted by Sean Elliott » TDE Setup and Administration Scripts

25 posts, Page 1 of 3

1 2 3 »»»

TDE Setup and Administration Scripts

Rate Topic

Display Mode

Topic Options

Author

Message

Sean Elliott (UK)

Posted Tuesday, March 08, 2011 12:04 AM

SSC Rookie

Group: General Forum Members
Last Login: Friday, April 05, 2013 9:32 AM
Points: 42, Visits: 170

Comments posted to this topic are about the item TDE Setup and Administration Scripts

Post #1074613

liebesiech

Posted Tuesday, March 08, 2011 12:46 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, May 10, 2013 3:55 AM
Points: 126, Visits: 751

Just for the records so that not everybody has to google it who isn't familiar with this feature: TDE = Transparent Data Encryption
Nice article though.
Wink

Post #1074620

DBA in Unit 7

Posted Tuesday, March 08, 2011 6:47 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Yesterday @ 12:34 PM
Points: 195, Visits: 1,057

Just a warning to those who would like to turn on TDE on servers that host some other databases along with the db you want to encrypt: if some of other DB's heavily utilize TEMPDB ( for example, using a lot #temp tables, doing a lot sorts, etc...), turning on TDE may kill the performance, yes, KILL, literally, the server would not responce due to the chance that the tempdb would go mad and refuse to work.

we had this last week in our DEV server and i couldn't even run sp_who2 when it happened.
RESTART Server ( tried to restart the SQL Server service and it hang; had to reboot the server) and turn off TDE...and then Restart Server cleaned up the chokeness.

Make sure you test enough before putting it to PROD...or leaving those encrypted DB'S on one box may be a better idea.

Post #1074754

Sean Elliott (UK)

Posted Tuesday, March 08, 2011 7:52 AM

SSC Rookie

Group: General Forum Members
Last Login: Friday, April 05, 2013 9:32 AM
Points: 42, Visits: 170

By chance my site only has one database that uses TDE with no other application databases on the same instance. Definitly try any change in DEV or TEST before PROD. A silver bullet restart of SQL might help if you have some databases using TDE and some not using TDE. It is the case that you have to restart SQL if you run the RemoveTDE script so that tempdb get receated properly so perhaps this is true when you first set it up too.

Not sure that performance would be hit massively re use of tempdb. Clearly there is no such thing as "something for nothing" so there is a performance hit but I believe it is not prohibitive unless your server is already operating near the bounds of its capacity. I did attend a Kevin Guinn presentation on TDE performance impact at SQL PASS 2009 which presented results from extensive performance comparisons of TDE configured databases against non TDE databases for sample operations. The results did not deter me from going ahead with my intended use of TDE. That said my particular scenario is not a heavily used database. This seems to be the basis for that presentation:

http://www.dell.com/downloads/global/solutions/Dell_SQL2008_EE_Encryption_and_Compression.pdf

Post #1074819

TerryS

Posted Tuesday, March 08, 2011 9:36 AM

SSC Eights!

Group: General Forum Members
Last Login: Today @ 11:28 AM
Points: 842, Visits: 761

Nice article, thanks. I'm about to implement TDE on a couple of servers so very timely.

As you noted:

Sean Elliott (UK) (3/8/2011)

...my site only has one database that uses TDE with no other application databases on the same instance.

Question: How do you enable TDE for a second database using your scripts?

Thanks.

Post #1074924

John Doe-361624

Posted Tuesday, March 08, 2011 11:47 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, February 22, 2013 3:22 PM
Points: 116, Visits: 220

liebesiech
You have the best comment here!!!!!

What kind of a specialist does not clarify abbreviations at the top of such an interesting article!!!!!

Post #1075016

Sean Elliott (UK)

Posted Tuesday, March 08, 2011 4:20 PM

SSC Rookie

Group: General Forum Members
Last Login: Friday, April 05, 2013 9:32 AM
Points: 42, Visits: 170

I did not want to write yet another article about TDE that tells you lots of complicated theory and background but then does not actually tell you how to use it for real. If you do not know what TDE is an acronym for then this is not the place to start. Tongue

I read several of these and still did not understand what you were supposed to do or really why there were so many levels of protection. It was only when I tried to do it for real that I gradually understood properly.

Post #1075229

Sean Elliott (UK)

Posted Tuesday, March 08, 2011 4:28 PM

SSC Rookie

Group: General Forum Members
Last Login: Friday, April 05, 2013 9:32 AM
Points: 42, Visits: 170

I guess my scripts as they are only work for one database comprehensively BigGrin

Quick answer - everywhere where there are commands affecting XX_DATABASE_XX copy and paste them as many times as required to include all the databases you require to use TDE.

If there are many such databases you could use master.dbo.sp_MSForEachDb to hit all relevant databases in a loop replacing XX_DATABASE_XX with [?] or '?'. You can see extensive use of sp_MSForEachDb in my other article about DDL auditing - gets slightly tricky if you need any quote characters in the command.

Not all the scripts do actually refer to a particular datadase so not all need changing. An example of one that would need changing is RemoveTDE.sql. For example part of it could be enhanced to:

exec master.dbo.sp_MSForEachDb
'
  if ''?'' != ''tempdb''
  begin
    if exists
    (
       select 1 from sys.dm_database_encryption_keys
       where DB_NAME(database_id) = ''?''
    )
    begin
       while not exists
       (  
          select encryption_state from sys.dm_database_encryption_keys
          where DB_NAME(database_id) = ''?'' and encryption_state = 1
       )
       begin
          set @DateStr = convert(varchar, getdate(), 120)
          raiserror(''%s Waiting 5 seconds for database encryption to complete'', 0, 0, @DateStr) with   nowait
          waitfor delay ''00:00:05'' 
       end
    end
  end
'