Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

Transparent Data Encryption (TDE) SQL Server 2008 Expand / Collapse
Author
Message
Posted Monday, May 4, 2009 8:57 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Thursday, October 16, 2014 7:31 AM
Points: 2,361, Visits: 6,749
Yes, I did.... I had trouble setting up the hyperlink for that and I have to Thank Steve for setting it up properly. And he did a great job editing. To be honest, I would never want to take his job of editing articles....heheheheh.
He is great at that.


-Roy
Post #709432
Posted Monday, May 4, 2009 10:20 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Today @ 9:29 AM
Points: 194, Visits: 379
Great article. Looks like for now, TDE is a one way process. Select wisely!

The more you are prepared, the less you need it.
Post #709491
Posted Monday, May 4, 2009 11:37 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, September 24, 2012 8:10 AM
Points: 2,042, Visits: 499
Good article. Nice and concise, with good points. BOL pointed this out in regards to the read-only file groups:

While TDE operations are not allowed if the database has any read-only filegroups, TDE can be used with read-only filegroups. To enable TDE on a database that has read-only filegroups, the filegroups must first be set to allow writes. After the encryption scan completes, the filegroup can be set back to read only. Key changes or decryption must be performed the same way.

So there is a work-around, but it had better be known before doing encryption. Thanks again for the information!

Cheers,
Brian
Post #709565
Posted Monday, May 4, 2009 11:52 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Thursday, October 16, 2014 7:31 AM
Points: 2,361, Visits: 6,749
Thanks for the Info Brian. That is something I missed.
Thanks to all who have commented and read.


-Roy
Post #709577
Posted Monday, May 4, 2009 12:16 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Monday, August 11, 2014 10:14 AM
Points: 11, Visits: 114
Thanks for the great article. I didn't see anything about impact on performance. Encrypting the entire database at the I/O level surly has some impact. You tested this on a 12GB database. Any chance you were able to run some scripts and get a notion of how responsive your database was after this? Is there anywhere I could find some initial statistics on how this impacted performance?

Thanks!
Matt Penner
Post #709606
Posted Monday, May 4, 2009 1:21 PM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Thursday, October 16, 2014 7:31 AM
Points: 2,361, Visits: 6,749
Hey matt,

Last week there was an article written on the performance impact on TDE. In that the Author did some testing and was able to figure out that the performance impact was less than 5%.



-Roy
Post #709655
Posted Monday, May 4, 2009 2:21 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, October 17, 2014 7:46 AM
Points: 5,364, Visits: 8,948
Hey Roy... very good (okay, GREAT) article.

I thing to emphasize... as long as you need that backup, you need to keep the security certificates. Think SOX. You may need that certificate for many years. And, of course, it can't be kept with the backup... sorta nullifies the security. How to manage the security of the certificates separately from the backups needs to be thought out in advance also.


Wayne
Microsoft Certified Master: SQL Server 2008
If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
Links: For better assistance in answering your questions, How to ask a question, Performance Problems, Common date/time routines,
CROSS-TABS and PIVOT tables Part 1 & Part 2, Using APPLY Part 1 & Part 2, Splitting Delimited Strings
Post #709717
Posted Monday, May 4, 2009 2:24 PM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Thursday, October 16, 2014 7:31 AM
Points: 2,361, Visits: 6,749
I totally agree on that point. It should be stored in multiple medias I would say and kept in a very safe place off the network.

-Roy
Post #709724
Posted Monday, May 4, 2009 2:33 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, January 25, 2012 11:39 AM
Points: 14, Visits: 73
Could you explain the difference between making the master key and the certificate. Also, I noticed that the master key password was set to an empty string. Why?

Thanks,
Steve
Post #709736
Posted Monday, May 4, 2009 2:37 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Today @ 12:04 PM
Points: 266, Visits: 2,601
Excellent article. I like how you took the time to look up known problems with TDE and to write out a list of issues to take into consideration. In other words, this article is much more than a re-hash of BOL/here's how you do it. It gives great info. Thanks.
Post #709743
« Prev Topic | Next Topic »

Add to briefcase ««12345»»»

Permissions Expand / Collapse