Data reencryption

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2008 » Security (SS2K8) » Data reencryption

Data reencryption

Rate Topic

Display Mode

Topic Options

Author

Message

PHXHoward

Posted Monday, January 28, 2013 10:46 AM

SSC Veteran

Group: General Forum Members
Last Login: Wednesday, May 22, 2013 4:32 PM
Points: 250, Visits: 693

Hi everyone.

At what point does the actual data get reencrypted by SQL Server? Does it happen when I regenerate a database encryption key or when a new certificate is created and associated with an encrypted database?

When the data itself is reencrypted, is there a security issue during the decrypt/reencrypt process?

None of the Microsoft documents seem to address this.

Thanks much.

Post #1412556

e4d4

Posted Monday, January 28, 2013 2:27 PM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Yesterday @ 1:54 PM
Points: 151, Visits: 1,039

PHXHoward (1/28/2013)

Are you talking about Transparent Data Encryption (TDE) or cell encryption with crtificates and keys?

PHXHoward (1/28/2013)

When the data itself is reencrypted, is there a security issue during the decrypt/reencrypt process?

None of the Microsoft documents seem to address this.

Thanks much.

I don't know about any issue but you should rember that when you have debug permission on OS level and none permission to SQL server you can read encrypted data from memory...and do many more things ;)

Post #1412659

PHXHoward

Posted Monday, January 28, 2013 2:37 PM

SSC Veteran

Group: General Forum Members
Last Login: Wednesday, May 22, 2013 4:32 PM
Points: 250, Visits: 693

I'm referring to TDE encryption.

When we regenerate the DEK or create a new certificate and encrypt using certificate, does it decrypt/reencrypt the data itself?

Post #1412665

e4d4

Posted Tuesday, January 29, 2013 2:16 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Yesterday @ 1:54 PM
Points: 151, Visits: 1,039

PHXHoward (1/28/2013)

I'm referring to TDE encryption.

When we regenerate the DEK or create a new certificate and encrypt using certificate, does it decrypt/reencrypt the data itself?

Without decryption how can it change a key?
When you regenerate a DEK you can track progress in sys.dm_database_encryption_keys column encryption_state=4 (Key change in progress), then all data from the DB must be decrypted and encrypted using a new key. eg:

ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_128;

When you change only the certificate that protect DEK only DEK is decrypted and encrypted by using a new key. DEK keys aren't changed and there is no need to decrypt and encrypt all data in DB

alter DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER CERTIFICATE NewCert;

Post #1412825

PHXHoward

Posted Tuesday, January 29, 2013 11:41 AM

SSC Veteran

Group: General Forum Members
Last Login: Wednesday, May 22, 2013 4:32 PM
Points: 250, Visits: 693

Thank you for the replies. I understand now.

How safe is the reencrypt process? Is there data file ever exposed while it is reencrypted?

Post #1413220

e4d4

Posted Tuesday, January 29, 2013 12:03 PM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Yesterday @ 1:54 PM
Points: 151, Visits: 1,039

PHXHoward (1/29/2013)

Thank you for the replies. I understand now.

How safe is the reencrypt process? Is there data file ever exposed while it is reencrypted?

Encrypted data in decrypted form are in:
- buffer pool
- RAM
- swap file
- and i don't know where else
Encryption is on page level, so probably reencrypt occur as follow: read a page->decrypt->encrypt by a new key->write a page
But why are you so afraid about encryption process?

Post #1413228

PHXHoward

Posted Tuesday, January 29, 2013 12:11 PM

SSC Veteran

Group: General Forum Members
Last Login: Wednesday, May 22, 2013 4:32 PM
Points: 250, Visits: 693

That makes sense. I was wondering about the reencrypt process because an auditor asked me that question so I wanted to give him an answer.

Post #1413236

e4d4

Posted Tuesday, January 29, 2013 12:21 PM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Yesterday @ 1:54 PM
Points: 151, Visits: 1,039

PHXHoward (1/29/2013)

That makes sense. I was wondering about the reencrypt process because an auditor asked me that question so I wanted to give him an answer.

Auditor

so all is clear, auditors sometimes ask weird questions...

Post #1413245

ssnrobtcok

Posted Friday, February 22, 2013 11:45 AM

Forum Newbie

Group: General Forum Members
Last Login: Friday, February 22, 2013 12:29 PM
Points: 4, Visits: 8

ou can't use a custom certificate with salesforce.com, it just doesn't work that way. At what level are you looking to encrypt the data? Data is already encrypted during data transport (uses TLS encryption where available). If you want to store the data in salesforce.com, use Encrypted Text Fields (free, available on request).

business plans

Post #1423194

« Prev Topic | Next Topic »

Permissions