Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Data reencryption


Data reencryption

Author
Message
PHXHoward
PHXHoward
Old Hand
Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)

Group: General Forum Members
Points: 371 Visits: 1214
Hi everyone.

At what point does the actual data get reencrypted by SQL Server? Does it happen when I regenerate a database encryption key or when a new certificate is created and associated with an encrypted database?

When the data itself is reencrypted, is there a security issue during the decrypt/reencrypt process?

None of the Microsoft documents seem to address this.

Thanks much.
e4d4
e4d4
SSC Veteran
SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)

Group: General Forum Members
Points: 275 Visits: 2398
PHXHoward (1/28/2013)
Hi everyone.

At what point does the actual data get reencrypted by SQL Server? Does it happen when I regenerate a database encryption key or when a new certificate is created and associated with an encrypted database?

Are you talking about Transparent Data Encryption (TDE) or cell encryption with crtificates and keys?

PHXHoward (1/28/2013)

When the data itself is reencrypted, is there a security issue during the decrypt/reencrypt process?

None of the Microsoft documents seem to address this.

Thanks much.


I don't know about any issue but you should rember that when you have debug permission on OS level and none permission to SQL server you can read encrypted data from memory...and do many more things Wink
PHXHoward
PHXHoward
Old Hand
Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)

Group: General Forum Members
Points: 371 Visits: 1214
I'm referring to TDE encryption.

When we regenerate the DEK or create a new certificate and encrypt using certificate, does it decrypt/reencrypt the data itself?
e4d4
e4d4
SSC Veteran
SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)

Group: General Forum Members
Points: 275 Visits: 2398
PHXHoward (1/28/2013)
I'm referring to TDE encryption.

When we regenerate the DEK or create a new certificate and encrypt using certificate, does it decrypt/reencrypt the data itself?



Without decryption how can it change a key?
When you regenerate a DEK you can track progress in sys.dm_database_encryption_keys column encryption_state=4 (Key change in progress), then all data from the DB must be decrypted and encrypted using a new key. eg:
ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_128;


When you change only the certificate that protect DEK only DEK is decrypted and encrypted by using a new key. DEK keys aren't changed and there is no need to decrypt and encrypt all data in DB
alter DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER CERTIFICATE NewCert;


PHXHoward
PHXHoward
Old Hand
Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)

Group: General Forum Members
Points: 371 Visits: 1214
Thank you for the replies. I understand now.

How safe is the reencrypt process? Is there data file ever exposed while it is reencrypted?
e4d4
e4d4
SSC Veteran
SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)

Group: General Forum Members
Points: 275 Visits: 2398
PHXHoward (1/29/2013)
Thank you for the replies. I understand now.

How safe is the reencrypt process? Is there data file ever exposed while it is reencrypted?

Encrypted data in decrypted form are in:
- buffer pool
- RAM
- swap file
- and i don't know where else
Encryption is on page level, so probably reencrypt occur as follow: read a page->decrypt->encrypt by a new key->write a page
But why are you so afraid about encryption process?
PHXHoward
PHXHoward
Old Hand
Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)

Group: General Forum Members
Points: 371 Visits: 1214
That makes sense. I was wondering about the reencrypt process because an auditor asked me that question so I wanted to give him an answer.
e4d4
e4d4
SSC Veteran
SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)

Group: General Forum Members
Points: 275 Visits: 2398
PHXHoward (1/29/2013)
That makes sense. I was wondering about the reencrypt process because an auditor asked me that question so I wanted to give him an answer.


Auditor :-) so all is clear, auditors sometimes ask weird questions...
ssnrobtcok
ssnrobtcok
Forum Newbie
Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)Forum Newbie (4 reputation)

Group: General Forum Members
Points: 4 Visits: 8
ou can't use a custom certificate with salesforce.com, it just doesn't work that way. At what level are you looking to encrypt the data? Data is already encrypted during data transport (uses TLS encryption where available). If you want to store the data in salesforce.com, use Encrypted Text Fields (free, available on request).

business plans
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search