Wikipedia

Transparent data encryption: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Rsecor (talk | contribs)
49 edits
m changed versions to editions, but the whole paragraph needs to be updated and corrected
Added introductory information on SQL Server encryption hierarchy and information about some related technical issues with TDE.
Line 7:
 
The same key is used to encrypt columns in a table, regardless of the number of columns to be encrypted. These encryption keys are encrypted using the database server master key and are stored in a dictionary table in the database.
 
== Microsoft SQL Server TDE ==
 
SQL Server utilizes an encryption hierarchy that enables databases to be shared within a cluster or migrated to other instances without re-encrypting them. The hierarchy consists of a combination of symmetric and asymmetric ciphers<ref>[https://technet.microsoft.com/en-us/library/bb934049(v=sql.110).aspx "Transparent Data Encryption (TDE)"] ''Microsoft TechNet''</ref>:
 
* Windows [[Data_Protection_API|Data Protection API (DPAPI)]] protects a single instance-wide Service Master Key (SMK).
* The Service Master Key encrypts the Database Master Key (DMK).
* The Database Master Key is used in conjunction with a certificate to encrypt the Database Encryption Key.
* The Database Encryption Key is used to encrypt the underlying database files with either the [[Advanced_Encryption_Standard|AES]] or [[Triple_DES|3DES]] cipher.
* The ''master'' database that contains various system level information, user accounts and management services is not encrypted.
 
During database backups, [[Data_compression|compression]] occurs after encryption. Due to the fact that strongly encrypted data cannot be significantly compressed, backups of TDE encrypted databases require additional resources.
 
To enable automatic booting, SQL Server stores the lowest level encryption keys in persistent storage (using the [[Data_Protection_API|DPAPI]] store). This presents a potential security issue because the stored keys can be directly recovered from a live system or from backups and used to decrypt the databases <ref>Simon McAuliffe, [http://simonmcauliffe.com/technology/tde/ "The Anatomy and (In)Security of Microsoft SQL Server Transparent Data Encryption (TDE)"]</ref>.
 
== See also ==
Retrieved from "https://en.wikipedia.org/wiki/Transparent_data_encryption"