June 9, 2015 at 6:00 am
I'm sorry but what are you asking/telling me?
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/
June 9, 2015 at 7:31 am
I challenged them why they was to encrypt the entire database.
I was told that it was a Business requirement handed down from Corporate.
What are some of CONS of doing this?
Thanks.
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/
June 9, 2015 at 7:39 am
Welsh Corgi (6/9/2015)
I challenged them why they was to encrypt the entire database.I was told that it was a Business requirement handed down from Corporate.
What are some of CONS of doing this?
Thanks.
I am sure there are a few but the only one I am aware of is that you will probably see an increase of CPU with TDE enabled.
June 9, 2015 at 7:48 am
BL0B_EATER (6/9/2015)
I am sure there are a few but the only one I am aware of is that you will probably see an increase of CPU with TDE enabled.
Likely, but not usually the biggest concern (unless the server's already maxed out on CPU). I'd be far more concerned about the implications for restores, especially restores in the case of a disaster.
I've seen a case (here on the forums) where someone had multuiple full backups of a database and all necessary log backups, all copied to DR and all completely unrestorable because the TDE certificate hadn't been backed up and the server it was on was no longer available
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
June 9, 2015 at 7:59 am
GilaMonster (6/9/2015)
BL0B_EATER (6/9/2015)
I am sure there are a few but the only one I am aware of is that you will probably see an increase of CPU with TDE enabled.Likely, but not usually the biggest concern (unless the server's already maxed out on CPU). I'd be far more concerned about the implications for restores, especially restores in the case of a disaster.
I've seen a case (here on the forums) where someone had multuiple full backups of a database and all necessary log backups, all copied to DR and all completely unrestorable because the TDE certificate hadn't been backed up and the server it was on was no longer available
Ouch... sounds like my worst nightmare come true.
June 9, 2015 at 8:08 am
BL0B_EATER (6/9/2015)
Ouch... sounds like my worst nightmare come true.
No it would be worst and would likely result in you typing your resume
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
June 9, 2015 at 8:13 am
Welsh Corgi (6/8/2015)
What am I missing?
This
Welsh Corgi (6/8/2015)
-- Warning: The certificate used for encrypting the database encryption key has not been backed up. You should immediately back up the certificate and the private key associated with the certificate.-- If the certificate ever becomes unavailable or if you must restore or attach the database on another server, you must have backups of both the certificate and the private key or you
-- will not be able to open the database.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
June 9, 2015 at 8:15 am
If anyone wants to know why Gail said this, read my post immediately above
GilaMonster (6/9/2015)
I'd be far more concerned about the implications for restores, especially restores in the case of a disaster.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
June 9, 2015 at 8:32 am
Couple things.
First, back up your certificate now. Even if you turn off TDE, it doesn't hurt to have a copy and someone might turn it on again.
Second, you might have auditors that want TDE on so the company can say the "database is encrypted". I find TDE to be not much more than a checkbox, but it does usually check the box. However, make sure you have copies of the certificate backup and test performing restores.
Third, if you enable encryption of data, then also be careful. You need backups of the certificates or asymmetric keys you use, and copies of the code used to create the symmetric keys in case you need to rebuild them elsewhere. They are included in database backups, but I prefer to ensure I've archived copies separately. Note that if you use asymmetric keys, you need to create them outside of SQL Server and import them to ensure a backup.
June 9, 2015 at 10:56 am
As far as negatives of TDE on performance, note that it is incompatible with a couple of settings. Namely if you have TDE then you lose any space benefits you would have gotten if you were/are using backup compression. The other thing is that if you enable TDE instant file initialization settings are not honored as any file operations that must require space have to zero out the space on disk first. So as Gail implied before large backups/restores can take a LOT longer.
I think the main benefits of TDE is if your organization has any data-at-rest encryption requirements. Basically something that would prevent an attacker from copying backups or offline data files and bringing them up somewhere else. It does nothing for data-in-transit or data-in-memory though.
Joie Andrew
"Since 1982"
Viewing 10 posts - 16 through 25 (of 25 total)
You must be logged in to reply to this topic. Login to reply