Transparent data encryption: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 11:11, 19 March 2016 edit Smcauliffenz (talk \| contribs) 7 edits m →Microsoft SQL Server TDE: Date correction ← Previous edit		Latest revision as of 19:04, 18 August 2025 edit undo Victor.rich (talk \| contribs) 6 edits m →External links
(34 intermediate revisions by 25 users not shown)
Line 1: {{nomore footnotes\|date=March 2015}} '''Transparent ~~Data~~data ~~Encryption~~encryption''' (often abbreviated to '''TDE''') is a technology employed by ~~both~~ [[Microsoft]], [[IBM]] and [[Oracle Corporation\|Oracle]] to [[encryption\|encrypt]] [[database]] files. TDE offers encryption at file level. TDE ~~solves~~enables the ~~problem~~encryption of ~~protecting~~ [[data at rest]], encrypting databases both on the hard drive and consequently on [[backup]] media. It does not protect [[data in transit]] nor [[data in use]]. Enterprises typically employ TDE to solve compliance issues such as [[PCI DSS]]. which require the protection of data at rest. Microsoft offers TDE as part of its [[Microsoft SQL Server]] 2008, 2008 R2, 2012, 2014, 2016, 2017 and ~~2016~~2019.<ref>{{Cite ~~when~~news\|url=https://info.townsendsecurity.com/sql-server-tde-vs-cell-level-encryption-a-brief-comparison\|title=SQL ~~released~~Server TDE vs CLE\|access-date=2017-06-02\|language=en\|archive-date=2018-10-19\|archive-url=https://web.archive.org/web/20181019211909/https://info.townsendsecurity.com/sql-server-tde-vs-cell-level-encryption-a-brief-comparison\|url-status=live}}</ref> TDE iswas only supported on the Evaluation, Developer, Enterprise and Datacenter editions of Microsoft SQL Server, until it was also made available in the Standard edition for 2019.<ref>[https://techcommunity.microsoft.com/t5/sql-server/sql-server-2019-standard-edition/ba-p/986121 "SQL Server 2019 Standard Edition"]''Microsoft Tech Community''</ref> SQL TDE is supported by [[~~Hardware~~hardware ~~Security~~security ~~Module~~module]]s from Thales e-Security, Townsend Security and SafeNet, Inc. IBM offers TDE as part of [[IBM Db2\|Db2]] as of version 10.5 fixpack 5.<ref>{{Cite web\|url=https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.wn.doc/doc/c0061179.html\|title = Fix pack summary\| website=[[IBM]] }}</ref> It is also supported in cloud versions of the product by default, Db2 on Cloud and Db2 Warehouse on Cloud. Oracle requires the Advanced Security Option for Oracle 10g and 11g to enable TDE. Oracle TDE addresses encryption requirements associated with public and private privacy and security mandates such as PCI and [[California]] [[SB 1386]]. Oracle Advanced Security TDE column encryption was introduced in Oracle Database 10g Release 2. Oracle Advanced Security TDE tablespace encryption and support for [[Hardware Security Module]]s (HSM) were introduced with Oracle Database 11gR1. Keys for TDE can be stored in an HSM to manage keys across servers, protect keys with hardware, and introduce a separation of duties.▼ ▲Oracle requires the [[Oracle Advanced Security]] ~~Option~~option for Oracle 10g and 11g to enable TDE.{{citation needed\|date=July 2016}} Oracle TDE addresses encryption requirements associated with public and private privacy and security mandates such as PCI and [[California]] [[California Senate Bill 1386 (2002)\|SB 1386]]. Oracle Advanced Security TDE column encryption was introduced in Oracle Database 10g Release 2. Oracle Advanced Security TDE tablespace encryption and support for [[~~Hardware~~hardware ~~Security~~security ~~Module~~module]]s (~~HSM~~HSMs) were introduced with Oracle Database 11gR1. Keys for TDE can be stored in an HSM to manage keys across servers, protect keys with hardware, and introduce a separation of duties. The same key is used to encrypt columns in a table, regardless of the number of columns to be encrypted. These encryption keys are encrypted using the database server master key and are stored in a dictionary table in the database. Line 10 ⟶ 12: == Microsoft SQL Server TDE == SQL Server utilizes an encryption hierarchy that enables databases to be shared within a cluster or migrated to other instances without re-encrypting them. The hierarchy consists of a combination of symmetric and asymmetric ciphers:<ref>[https://technet.microsoft.com/en-us/library/bb934049(v=sql.110).aspx "Transparent Data Encryption (TDE)"] {{Webarchive\|url=https://web.archive.org/web/20160329054424/https://technet.microsoft.com/en-us/library/bb934049(v=sql.110).aspx \|date=2016-03-29 }} ''Microsoft TechNet''</ref>: * Windows [[~~Data_Protection_API~~Data Protection API\|Data Protection API (DPAPI)]] protects a single instance-wide Service Master Key (SMK). * The Service Master Key encrypts the Database Master Key (DMK). * The Database Master Key is used in conjunction with a certificate to encrypt the Database Encryption Key. * The Database Encryption Key is used to encrypt the underlying database files with either the [[~~Advanced_Encryption_Standard~~Advanced Encryption Standard\|AES]] or [[~~Triple_DES~~Triple DES\|3DES]] cipher. * The ''master'' database that contains various system level information, user accounts and management services is not encrypted. During database backups, [[~~Data_compression~~Data compression\|compression]] occurs after encryption. Due to the fact that strongly encrypted data cannot be significantly compressed, backups of TDE encrypted databases require additional resources. To enable automatic booting, SQL Server stores the lowest level encryption keys in persistent storage (using the [[~~Data_Protection_API~~Data Protection API\|DPAPI]] store). This presents a potential security issue because the stored keys can be directly recovered from a live system or from backups and used to decrypt the databases .<ref>Simon McAuliffe, [~~http~~https://~~simonmcauliffe~~medium.com/~~technology~~@s.mcauliffe_17464/the-anatomy-and-in-security-of-microsoft-sql-server-transparent-data-encryption-tde/-or-how-to-d164eb08564 "The Anatomy and (In)Security of Microsoft SQL Server Transparent Data Encryption (TDE)"] {{Webarchive\|url=https://web.archive.org/web/20231110152114/https://medium.com/@s.mcauliffe_17464/the-anatomy-and-in-security-of-microsoft-sql-server-transparent-data-encryption-tde-or-how-to-d164eb08564 \|date=2023-11-10 }}, 19-Mar-2016</ref>. == See also == * [[Disk encryption]] * [[OTFE]] * [[Encryption]] * [[Hardware ~~Security~~security ~~Module~~module]] ==References== {{Reflist}} ==External links== * [https://www.easefilter.com/kb/transparent-file-encryption-filter-driver-sdk.htm EaseFilter Transparent File Encryption] * [http://technet.microsoft.com/en-us/library/cc645993%28v=sql.105%29.aspx#Enterprise_security Enterprise Security Features Supported by Microsoft SQL Server 2008 R2 Editions]▼ * [~~http~~https://~~technet~~www.~~microsoft~~database-encryption.com/~~en-us/library/cc645993.aspx#Enterprise_security~~ ~~Security~~Alternative ~~Features~~3rd ~~Supported~~party bysolution ~~Microsoft~~for all SQL Server ~~2012~~ Editions] * [https://www.netlibsecurity.com/ Another alternative 3rd party solution for all SQL Server Editions] ▲* [~~http~~https://technet.microsoft.com/en-us/library/cc645993%28v=sql.105%29.aspx#Enterprise_security Enterprise Security Features Supported by Microsoft SQL Server 2008 R2 Editions] * [https://technet.microsoft.com/en-us/library/cc645993.aspx#Enterprise_security Security Features Supported by Microsoft SQL Server 2012 Editions] * [http://msdn.microsoft.com/en-us/library/bb934049.aspx Understanding Transparent Data Encryption (TDE) (Microsoft)] * [http://www.oracle.com/technology/obe/11gr1_db/security/tde/tde.htm Using Transparent Data Encryption in Oracle Database 11g] Line 37 ⟶ 44: * http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asotrans.htm#BABDFHHH * [https://www.p6r.com/articles/2014/11/22/p6rs-pkcs-11-provider/ P6R's PKCS#11 Provider and Oracle TDE] * [https://techcommunity.microsoft.com/t5/sql-server/sql-server-2019-standard-edition/ba-p/986121] [[Category:Disk encryption]]