New Connect Item – TDE - SQLServerCentral

The Voice of the DBA

Steve Jones is the editor of SQLServerCentral.com and visits a wide variety of data related topics in his daily editorial. Steve has spent years working as a DBA and general purpose Windows administrator, primarily working with SQL Server since it was ported from Sybase in 1990. You can follow Steve on Twitter at twitter.com/way0utwest

New Connect Item – TDE

Posted on 29 June 2011
Comments
Briefcase
Print

Does the certificate matter for TDE? Apparently not as I found a number of people discussing the fact that the expiration date for certificates is not checked for TDE restores. So if your certificate expires, you can still restore the TDE backup.

However the documentation doesn’t mention this, and I think it ought to be clarified, so I submitted this Connect item. Feel free to vote if you agree:

https://connect.microsoft.com/SQLServer/feedback/details/677365/doc-clarify-the-expiration-date-field-of-certificates-impact-on-tde

Whether the expiration date should matter is another debate. I think it should, but I need to really think about the pros and cons of this.

Filed under: Blog Tagged: Backup/Recovery, encryption, security, sql server, syndicated

Comments

Posted by K. Brian Kelley on 30 June 2011

The expiration date should matter. We're told all the time to distrust certificates that are expired. However, practically, the way it's implemented in SQL Server 2008 for TDE, it doesn't work well to force a certificate re-issue. You'd have to decrypt and re-encrypt the entire DB. That's why I was surprised that they tied TDE to a certificate like this.

Please register or log in to leave a comment.

Get Your Own Blog

Contact the author

All Blogs

Feeds

Archives for this blog

The Voice of the DBA

New Connect Item – TDE

Comments

Posted by K. Brian Kelley on 30 June 2011

Leave a Comment