透明数据加密(Transparent Data Encryption)主要用于防止数据库文件被未经授权地拷贝或服务器被盗后通过附加/还原等操作访问数据库中的敏感数据。
本文演示创建TDE数据库的过程,以及备份后还原到新的实例的过程。
设置TDE数据库的主要步骤:
- 创建Master Key主密钥
- 创建被Master Key加密的证书
- 备份密钥和证书
- 创建被证书保护的数据库加密密钥
- 开启数据库加密
创建TDE数据库
CREATE DATABASE [TDEDataBase]
CONTAINMENT = NONE
ON PRIMARY
( NAME = N'TDEDataBase',
FILENAME = N'C:\MyTest\DB\TDEDataBase.mdf' ,
SIZE = 3072KB , FILEGROWTH = 1024KB )
LOG ON
( NAME = N'TDEDataBase_log',
FILENAME = N'C:\MyTest\DB\TDEDataBase_log.ldf' ,
SIZE = 1024KB , FILEGROWTH = 10%)
GO
-- Create master key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '!drJP9QXC&Vi%cs';
GO
-- Create the certificate used to protect the database encryption key
CREATE CERTIFICATE TDETestDBCert WITH SUBJECT = 'TDE Test';
GO
-- Create the database encryption key for TDE.
USE TDEDataBase;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE TDETestDBCert;
GO
-- Backup cert and keys
BACKUP CERTIFICATE TDETestDBCert
TO FILE = 'C:\MyTest\TDETest_DBCert_BackUp'
WITH PRIVATE KEY
(
FILE = 'C:\MyTest\TDETest_PrivateKeyFile',
ENCRYPTION BY PASSWORD = 'TDETest123'
);
GO
-- 备份主密钥
BACKUP MASTER KEY
TO FILE = N'C:\MyTest\MasterKey'
ENCRYPTION BY PASSWORD = N'password'
GO
-- Enable TDE
Alter Database TDEDataBase Set Encryption On;
开启后查看加密状态:
SELECT DB_NAME(database_id) AS DatabaseName,
key_algorithm AS [Algorithm],
key_length AS KeyLength,
CASE encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS EncryptionStateDesc,
percent_complete AS PercentComplete
FROM sys.dm_database_encryption_keys;
结果如下:
可以发现除了刚刚创建的数据库外,TempDB也被加密了。其实只要实例中有一个数据库被加密,TempDB也会被跟着加密。
迁移到新实例/服务器
如果没有新实例的测试环境,可以先将Master Key和Certificate删除:
DROP CERTIFICATE TDETestDBCert
DROP Master KEY
如果直接还原数据库到新的实例/服务器,会报错:找不到指纹为 ‘0xXXXXXXX’ 的服务器证书,RESTORE DATABASE 正在异常终止。
应该先还原密钥和证书才能成功还原:
-- 还原主密钥
RESTORE MASTER KEY
FROM FILE = N'C:\MasterKey'
DECRYPTION BY PASSWORD = N'password'
ENCRYPTION BY PASSWORD = N'password'
-- 打开主密钥
OPEN MASTER KEY DECRYPTION BY PASSWORD = N'password'
-- 还原证书
CREATE CERTIFICATE TDETestDBCert
FROM FILE = 'C:\TDETest_DBCert_BackUp'
WITH PRIVATE KEY (FILE = 'C:\TDETest_PrivateKeyFile',
DECRYPTION BY PASSWORD = 'TDETest123');
-- 再次还原数据库
RESTORE DATABASE [TDEDataBase] FROM DISK = N'C:\TDEDataBase_20180522.bak'
WITH MOVE 'TDEDataBase' TO 'C:\TDEDataBase.mdf'
,MOVE 'TDEDataBase_Log' TO 'C:\TDEDataBase.ldf'