Uncategorized

Setting up TDE on SQL Server Failover Cluster

Back in 2011 I wrote couple of Blog posts when I was initially exploring Encryption options we have in SQL Server. Never really got a chance to work on TDE since then. Fast forward to 2016, I am participating in TDE project, where we are enabling TDE for few of our databases which are hosted on SQL Server Failover Clustered Instances. Currently we are in testting/POC phase. In this post, I will share what my findings are about TDE on clustered instances. Let’s get started…

Enabling TDE on a clustered database is no different than how we enable on a Standalone Instance. Steps are as follows:

--a.
Create database TDE_Test
GO
--1.create a master key in master database.
USE master
GO
CREATE MASTER KEY
ENCRYPTION BY PASSWORD = 'Very$ecurepwd123'
--2.Create a certificate(name it)
USE master
GO
CREATE CERTIFICATE CLUSTPRD1_TDECert
WITH SUBJECT = 'Transparent Data Encryption Certificate'
--3. Create a database encryption key. –Based on the certificate from Step 2–Can use AES, DES, Triple DES, RC4 etc
USE TDE_Test--The db to protect
GO
CREATE DATABASE ENCRYPTION KEY WITH
ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE
CLUSTPRD1_TDECert--Cert from Step 2

--4. Turn it on!
USE TDE_Test--The db to protect
GO
ALTER DATABASE TDE_Test
SET ENCRYPTION ON
GO
-----Backup Certs---V V Imp
USE MASTER  
GO  
BACKUP CERTIFICATE CLUSTPRD1_TDECert   
TO FILE = 'C:\TDE_Keys\CLUSTPRD1_TDECert.cer'  
WITH PRIVATE KEY (FILE = 'C:\TDE_Keys\CLUSTPRD1_TDECert_Key.pvk' ,  
ENCRYPTION BY PASSWORD = 'MyAw3S0m3Pwd123#' )  
GO
--Backup SMK---VVV Important</pre>

BACKUP SERVICE MASTER KEY TO FILE = 'c:\keys\SQLPRD1_SMK.bak' ENCRYPTION BY PASSWORD = 'gytj6%&5gjOUytp';

Okay…so what happens when SQL gets failed over to another node? Will TDE work? Will the database be still in usable state? The answer is “YES” from my initial testing. Everything remains intact. Nothing breaks!

Note: This is different from the way how it works in Alwayson AGs.

Reason: See below Screenshot taken from BOL.

3_arch

The Master Key which we created on step 1 is protected by Service master key(SMK) which is scoped at Instance level is the root of our Hierarchy, And then the certificate and the keys are scoped at master and user database levels which will be failed over and moved between nodes.So….Nothing special is required for FCIs. Please correct me If I am wrong and post any thoughts in comments.

Cheers!

Advertisements

SQL Server on Linux – Too good to be True!

Microsoft just announced that they are going to support SQL Server on Linux! Yup, that’s true. They also say private preview of SQL Server is already available starting today for customers who are interested. It’s hard to believe me right…Well head over to this blog post and see it for yourself.

https://blogs.microsoft.com/blog/2016/03/07/announcing-sql-server-on-linux/

If what I am seeing is really true, well, for all the guys who says” SQL Server is not secure(We good DBA’s know how to keep it secure)…It only runs on Windows…blah blah” better stop saying that from now on 🙂

For an early look and to sign up for this head over to https://www.microsoft.com/en-us/server-cloud/sql-server-on-linux.aspx and sign up.

I really hope this is not some prank! Any ways…it’s time to brush up my Linux Skills….Voilaaa.

Update – SQL Server 2016 very first Release Candidate(RC 0 ) has been announced as well today.  I sense RTM is coming soon 🙂 Happy SQLing!!!

SSMS 2016 CTP 2.1 Web Setup – Installation Error.

Recently, Microsoft released SQL Server 2016 CTP for public and today I decided to Just install SQL Server 2016 CTP 2.1 Management Studio on my Windows 7 machine by using “SSMS-Web-Setup.exe”. (I tried to install full blown engine using ISO, but it says my OS is unsupported). Anyways…coming to the issue, I downloaded the file and placed it under my default downloads folder and ran the setup file as an admin. After few minutes, It failed generating huge log file, which is basically referencing to other .msi files present in my downloads folder and complaining that elements are not found. I previously downloaded SQLDOM, few Reporting services related msi’s etc which are located in my downloads folder. So, basically SSMS 2016 web Setup has conflicts with those old files which are present in the same folder.

Fix: Created a new folder and place the “SSMS-Web-Setup.exe” file in it and run the setup. That’s it guys…It worked just fine.

2016_ssms

Actually, there is a connect item as well opened for this issue.

A newbie for Tech Blogging

It was always hard to me finding sometime blogging some really Cool Stuff in regards with the technologies i worked in past and currently I’m working on….Thought of sharing my experiences and knowledge with the peers sitting around me and learning new things from their vast Experience…Phewww..enough intro for a Tech Blog( I mean it)