Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


TDE and SQL Server Databases


TDE and SQL Server Databases

Author
Message
guy.stephens
guy.stephens
Grasshopper
Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)

Group: General Forum Members
Points: 21 Visits: 45
I thought it was a very good article Smile.

Just making the point, since I've read a number of articles about TDE, had tried it out (on my SQL Developer version, which has all features), and had recommended it to customers. It was somewhat embarrassing to learn that it wasn't available in the versions of SQL they use.
Perry Whittle
Perry Whittle
SSCrazy Eights
SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)

Group: General Forum Members
Points: 8784 Visits: 16558
yes i can see that would be a little embarrassing, please don't forget to rate the article if you found it useful

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
tthiemann
tthiemann
Forum Newbie
Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)

Group: General Forum Members
Points: 4 Visits: 8
This is a good write up. A couple of comments:

1) Something to consider if you have more than a handful of databases and want to avoid key management headaches is a network Hardware Security Module (HSM) to secure and manage the keys. The network HSM manages the asymmetric key which is used to protect the symmetric key that is created when TDE is enabled for both SQL Server (and Oracle if you are using Oracle TDE).

2) The key in the Master database is not secure - there are known ways to extract this key if you have access to the system. This is a security hole and without an external key manager or HSM on the system SQL Server with TDE is technically not PCI compliant if that is critical to your regulatory needs. A network HSM allows you to avoid having to purchase a hardware HSM for each server to protect the key. On a side note, Vormetric Key Management manages TDE keys for both SQL Server and Oracle.

3) You mentioned some third party products. There are also products like Vormetric Encryption which provides file-level encryption for data outside of your user and tempdb tables along with associated files outside of the database. This can encrypt the Master Tables, System Tables, Log files and any other external content such as trace files that may contain sensitive data.

Cheers!

Todd
Perry Whittle
Perry Whittle
SSCrazy Eights
SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)

Group: General Forum Members
Points: 8784 Visits: 16558
Hi Todd thanks for the comments, I totally agree, if you're serious about implementing TDE then an external key management service is a must.

The 3rd party products I referred to were backup products such as Litespeed or sqlbackup

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
deanroush
deanroush
SSC Rookie
SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)

Group: General Forum Members
Points: 30 Visits: 265
I understand TDE does not encrypt FileStream data. In SQL 2012, a new feature is FileTable, which is built upon FileStream technology. This implies that TDE does not support FileTable technology. I have not seen this mentioned specifically. Anyone have any info on this? Thanks.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search