1.2k questions
1.4k answers
361 comments
339 users
All the configuration needed to use TDE is done in MS SQL Server. QIE does not need any configuration changes. Sweet yeah! Below are the steps to configure MS SQL Server to use TDE and to turn it on for the qie database. Note: This includes instructions to create a new QIE database and QIE user which is helpful for a new install. These steps can be skipped to turn on TDE for an existing QIE database.
-- Step One: Create the certificates in the master database USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'UseStrongPasswordHere123'; GO -- Choose a name. Note: This cert is used at the server level. CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate'; GO -- We can check that it was created using SELECT * FROM sys.certificates GO -- Step Two: Backup the certificate to a secure location /* The code below shows how to back up the certificate to a file in the file system. This file can then be backed up or copied to another system to allow the encrypted database to be restored. */ USE Master GO BACKUP CERTIFICATE MyServerCert TO FILE = 'C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Backup\MySQLCert' WITH PRIVATE KEY (file='C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Backup\MySQLCertKey', ENCRYPTION BY PASSWORD='UseStrongPasswordToBackupCertHere123') GO /* Code to move a backed up certificate to a New SQL Server Instance */ /* USE Master GO -- Create a new master key. CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'UseStrongPasswordHere123' GO -- Restore the certificate. CREATE CERTIFICATE MyServerCert FROM FILE='c:\temp\MySQLCert' WITH PRIVATE KEY ( FILE = 'c:\temp\MySQLCertKey', DECRYPTION BY PASSWORD='UseStrongPasswordToBackupCertHere123') GO */ -- Step Three: Create a new database CREATE DATABASE qieWithTDE GO /* Note: if you need to create the qie user and map it to the qieWithTDE database */ /* CREATE LOGIN qie WITH PASSWORD='qie', DEFAULT_DATABASE=qieWithTDE, DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF; GO */ -- Create a user in a database for a given login USE qieWithTDE; GO CREATE USER qie FOR LOGIN qie WITH DEFAULT_SCHEMA=[dbo] GO -- Make the qie user a member of following groups USE qieWithTDE exec sp_addrolemember 'db_backupoperator', 'qie'; exec sp_addrolemember 'db_datareader', 'qie'; exec sp_addrolemember 'db_datawriter', 'qie'; exec sp_addrolemember 'db_ddladmin', 'qie'; exec sp_addrolemember 'db_owner', 'qie'; GO -- Step Four: Create database level encryption key USE qieWithTDE; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE MyServerCert; GO -- Step Five: Turn on encryption ALTER DATABASE qieWithTDE SET ENCRYPTION ON; GO -- To monitor encryption progress you can use this query SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length FROM sys.dm_database_encryption_keys GO
-- Resources: -- http://en.wikipedia.org/wiki/Transparent_Data_Encryption -- http://msdn.microsoft.com/en-us/library/bb934049.aspx -- http://sqlmag.com/database-security/using-transparent-data-encryption -- http://www.databasejournal.com/features/mssql/transparent-data-encryption-tde-in-sql-server.html
