May 5, 2009 at 12:16 am
great article.
Thank you for pointing the known issue and the ref to connect.
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
May 5, 2009 at 1:16 am
"The private key is used to encrypt the data and the public key is used to decrypt the data."
Shouldn't it be the other way around?
Great article though!
May 5, 2009 at 6:23 am
Amit Lohia (5/4/2009)
Roy,You beat me on this. Even I wrote a paper of TDE and was waiting to have an answer for the Disabling TDE issue before I publish. Your article is very well written and deserve a 5 star.
By the way, Can we know if Microsoft will have an answer or a patch for the issue in their next service pack?
Amit
Don't let that stop you from publishing your article. It may present things in a different way or answer questions that weren't answered in Roy's article.
May 5, 2009 at 7:22 am
Hi Amit,
Thanks... But I recommend you to publish your article. Your take might be a bit different than mine. The more info out there, the better.
In connect, no work around or any release details have been specified. Let us wait and see.
-Roy
May 5, 2009 at 7:27 am
Good article. I'm just starting to play with 2008, and this definitely will help.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
May 5, 2009 at 7:40 am
Thanks GSquared, Thanks ALZDBA
🙂
-Roy
May 7, 2009 at 3:01 pm
Hi,
Anybody has experience for key rotation, esp integrated with third party key management tool with TDE?
Thanks.
May 7, 2009 at 7:33 pm
cppprogrammer (5/5/2009)
"The private key is used to encrypt the data and the public key is used to decrypt the data."Shouldn't it be the other way around?
I should clarify. The receiver is the person who has to have the private key for asymmetric cryptography. The receiver publishes a public key which is used by the sender to encrypt. The private key only known to the receiver is used to decrypt.
Therefore the statement I quoted above should be:
"The public key is used to encrypt the data and the private key is used to decrypt the data."
May 8, 2009 at 6:36 am
Ping, Sorry Cant help you there.
cppprogrammer, yes I agree. Let me look up how I made the mistake.
-Roy
June 2, 2009 at 6:47 am
Just as an Update, the issue raised by Mohit and Grant will be fixed in the next release of SQL 2008.
-Roy
July 16, 2009 at 3:16 pm
Roy,
Thanks for the great article. Steve pointed this article out to me as I was looking for some info on general database safety. http://qa.sqlservercentral.com/Forums/Topic754288-146-1.aspx#bm754352 I have a question though.
In the article, you said.....
"That means that a small/medium sized database (Anywhere above 50 GIG) will probably have a backup file of that size itself. If someone is able to steal the backup file of that size, you have a very big issue."
Do you mean....
If a TDE enabled backup is stolen, it cannot be restored. So its well protected. But the bigger problem is that if someone could steal that large file, then we are in big trouble, right?
Because, right now, I need to come up with ways to protect database files when Sql Server is installed on a laptop is stolen. BTW, its a Sql 2005. Or login info in to the laptop is compromised.
Any help is appreciated.
thanks,
_Uday
July 23, 2009 at 2:16 pm
I have 2 responses that I did not see a reply yet to. so here we go:
1) TDE is an available option on Enterprise and Developer editions only.
2) Roy, this goes back to testing out the issues with TDE- I fortunately was able to turn the encryption off and and then try and restore from 2 different full database backups (using developer edition, RTM):
1) I tried restoring from an encrypted full backup- worked fine with replace option
2) I tried restoring from an non-encrypted full backup- worked fine with replace option.
So, I am not sure if the limitations are only related to tlog restores after you switch an encrypted DB to non-encrypted DB. I also did try the worst case scenario-I blew away the master key and certificates and rebuilt from the files I backed up- it worked fine too. Stay tuned and I will let you know if the tlog restore option worked of failed like Roy expressed. Overall I like the TDE feature very much.
July 23, 2009 at 3:18 pm
UB (7/16/2009)
Roy,Thanks for the great article. Steve pointed this article out to me as I was looking for some info on general database safety. http://qa.sqlservercentral.com/Forums/Topic754288-146-1.aspx#bm754352 I have a question though.
In the article, you said.....
"That means that a small/medium sized database (Anywhere above 50 GIG) will probably have a backup file of that size itself. If someone is able to steal the backup file of that size, you have a very big issue."
Do you mean....
If a TDE enabled backup is stolen, it cannot be restored. So its well protected. But the bigger problem is that if someone could steal that large file, then we are in big trouble, right?
Because, right now, I need to come up with ways to protect database files when Sql Server is installed on a laptop is stolen. BTW, its a Sql 2005. Or login info in to the laptop is compromised.
Any help is appreciated.
thanks,
_Uday
let us say that your laptop that has the DB installed is stolen I do not think there is anything you can do other than actual encryption of data. (That is if they are able to Login to the Laptop.) If they are not able to login because of very strong password, then even if they are able to take out the HDD and copy the file somewhere else and try to attach the file, they wont be able to do that.
But there are other things you can do. There is some tools that actually encrypts the HDD. You could try to use them.
-Roy
July 23, 2009 at 3:20 pm
Fresh Squeeze (7/23/2009)
I have 2 responses that I did not see a reply yet to. so here we go:1) TDE is an available option on Enterprise and Developer editions only.
2) Roy, this goes back to testing out the issues with TDE- I fortunately was able to turn the encryption off and and then try and restore from 2 different full database backups (using developer edition, RTM):
1) I tried restoring from an encrypted full backup- worked fine with replace option
2) I tried restoring from an non-encrypted full backup- worked fine with replace option.
So, I am not sure if the limitations are only related to tlog restores after you switch an encrypted DB to non-encrypted DB. I also did try the worst case scenario-I blew away the master key and certificates and rebuilt from the files I backed up- it worked fine too. Stay tuned and I will let you know if the tlog restore option worked of failed like Roy expressed. Overall I like the TDE feature very much.
What version of Service pack do you have. I know that this was an issue with Service pack 1. This was a known issue in Connect and Microsoft themselves made a statement that it will fixed with the next version of Service Pack.
-Roy
July 24, 2009 at 6:44 am
No SP- Just RTM version,but I am using the developer edition. I am in the process of loading SP1 to see if I run into that issue you expressed in the article.
BTW, great article Roy- well explained- Helped me thru understanding the setup, etc.
Viewing 15 posts - 31 through 45 (of 81 total)
You must be logged in to reply to this topic. Login to reply