In the Previous two Posts of this series, we’ve seen how to actually encrypt our Database(s). In this post, let’s focus on things to consider on Databases with TDE enabled. Let me tell you something…there are lot of GOTCHAS as a DBA for Encrypted databases you should be aware of. You should not be in a situation saying “Oops! I missed it, what should i do now?”. Reminding again….If you loose your Master Key, You’ve lost your Database, No Ifs and buts! If you are creating a DB Encryption key with AES_128/AES_256 Algorithm and if you lost it, i believe it would be a very tough challenge even for an ethical hacker to decrypt it ;)(I might be wrong, but I would expect the same level of encryption what i’m saying!!) Okay!! Enough Scaring you all, let’s get into the actual content!
Very first thing, Encryption adds a little Overhead on your CPU. Thorough testing is mandatory!
Enabling TDE on a Database might require an Application outage, It takes some time depending on your database size(I think it acquires some locks on objects while enabling encryption for the first time, I’m not 100% sure). As a safe bet, do this after Business hours taking on a maintenance window. (Make sure that you’ve tested in your lower environments.)
If you enable TDE on any Database on your Instance, Your TEMPDB is automatically Encrypted as well. Soo…there’s a high possibility impacting other Databases which are actually not using TDE feature while you are in the process of enabling TDE!!!
Instant File Initialization won’t work on TDE Enabled databases and Log truncation won’t happen through the Encryption process(While Background Encryption scanner is in progress). So, keep a close eye on your LDF file when actual encryption process is in progress.
You’ve to backup your Service Master key, Certificates and Master key and secure it in a safest location(Far away from where you store your Database Backups. The idea is not to have access to your Keys for any intruder even though he/she got hold of your DB Backups!
How to Backup your Service Master Key??
BACKUP SERVICE MASTER KEY TO FILE = 'D:\Backs\SMK_08312011.bak' ENCRYPTION BY PASSWORD = 'VERYVERYSTRONGPASSWORD'
How to Backup your Master Key?
BACKUP MASTER KEY TO FILE = 'D:\Backs\Master_Key.bak' ENCRYPTION BY PASSWORD = 'DIFFERENTSTRONGPASSWORD'
How to Backup your Database Key?
BACKUP CERTIFICATE TDEDEMOCERT /*this was the certificate which we created earlier*/ TO FILE = 'D:\Backs\TDEDEMOCERT.BAK' WITH PRIVATE KEY ( FILE = 'D:\Backs\TDEkey.bkey', ENCRYPTION BY PASSWORD = 'VeryStrongPassword' ) GO
That’s all for the day! Let’s see how to actually restore a Database which is Encrypted on a completely different server in the upcoming post of this encryption series.
One thought on “SQL Server Encryption – Part3(GOTCHAS – A TDE Enabled Database)”