SQL_curiosity_POINT: Transparent data Encryption:TDE

Database Encryption: is Transforming the data into 'Cipher Text' using the algorithm(AES128/AES256) to make it incomprehensible if don't decrypt before use
EXAMPLE:

So this is what exactly is happening in encryption all the data is bind with the encryption key (Prism) unless you have the Key the data is useless.

There are multiple ways to encrypt the data but today we will look at the one of the best encryption !

Transparent data encryption: TDE

Below is the transparent data encryption Architecture.

IMAGE SOURCE:

The TDE made its debut with the SQL server 2008 where Microsoft extended the data protection capability of the SQL server. TDE is inbuilt feature of SQL server that encrypts the data at rest or the data available in the drive not in the buffer or any other active transacting place. This only protects the data at the SQL server OS end not the application end. You must balance the pros and cons of Encryption.

You must refer below article for more:

· All About TDE:
· Side Effect:

TDE Hierarchy:

Create the DMK in the master database, if it doesn’t already exist.
Create a certificate in the master database for securing the DEK.
Create the DEK in the user database to be encrypted.
Enable TDE on the user database.
The following example illustrates encrypting and decrypting

The Below example illustrates TED on AdventureWorks2012 database using a certificate installed on the server named MyServerCert.Verify the encryption status:To verify which databases are encrypted on the instance or database use below methods.A: To verify the database;

USE master;

CREATE MASTER KEY ENCRYPTION BY PASSWORD = ’<UseStrongPasswordHere>’;

CREATE CERTIFICATE

MyServerCert WITH SUBJECT = ‘My DEK Certificate’;

USE AdventureWorks2012;

CREATE DATABASE ENCRYPTION KEY

WITH ALGORITHM = AES_128

ENCRYPTION BY SERVER CERTIFICATE MyServerCert;

ALTER DATABASE AdventureWorks2012

SET ENCRYPTION ON;

Verify the encryption status:

To verify which databases are encrypted on the instance or database use below methods.

A: To verify the database;

Use database properties to check encryption.

B: Alternatively use the Query below for the Instance level enquiry:

SELECT name,DEK.*

FROM sys.databases D

JOIN sys.dm_database_encryption_keys DEK

ON DEK.database_id = D.database_id

ORDER BY name;

Output will be like below Snap: (refer ‘Encryption_state’ Column)

is_encrypted = 0 I believe reflects the fact that DB was encrypted automatically, not by issuing ALTER command. Here is what MSDN says about this parameter: Indicates whether the database is encrypted (reflects the state last set by using the ALTER DATABASE SET ENCRYPTION clause).

percent_complete = 0 is expected when there is no ongoing encryption. From MSDN: Percent complete of the database encryption state change. This will be 0 if there is no state change.

encryption_state = 3 looks to be the ultimate hint in answering the question. MSDN: Indicates whether the database is encrypted or not encrypted, 3 = Encrypted.

Database Encryption Struck in progress:

SELECT DB_NAME(database_id) AS DatabaseName, encryption_state,
encryption_state_desc =
CASE encryption_state
WHEN '0’ THEN 'No database encryption key present, no encryption’
WHEN '1’ THEN 'Unencrypted’
WHEN '2’ THEN 'Encryption in progress’
WHEN '3’ THEN 'Encrypted’
WHEN '4’ THEN 'Key change in progress’
WHEN '5’ THEN 'Decryption in progress’
WHEN '6’ THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed’
ELSE 'No Status’
END,
percent_complete, create_date, key_algorithm, key_length,
encryptor_thumbprint, encryptor_type FROM sys.dm_database_encryption_keys