Protecting Your SharePoint Content Databases using SQL Transparent Data Encryption
Download as PPTX, PDF1 like1,993 views
Transparent Database Encryption (TDE) allows encryption of SQL Server databases, including SharePoint content databases, without requiring changes to the application. TDE encrypts the database, transaction log files, and any backup files. It uses certificates, asymmetric keys, and database encryption keys to encrypt and decrypt data without impacting performance significantly. Administrators can enable TDE on databases to protect data from unauthorized access even if the database files are copied or stolen.
Protecting Your SharePoint Content Databases using SQL Transparent Data Encryption
- 2. Protecting your SharePoint Content with SQL Server 2008 Transparent Database EncryptionMichael NoelPartnerConvergent ComputingSESSION CODE: #AIT008(c) 2011 Microsoft. All rights reserved.
- 3. Michael NoelSydneyBrisbaneCanberraTasmaniaKatoombaSkippyHungryQuokkasBondiMelbourne12 (11)ApostlesAdelaidePerthGreat to be back in Beautiful Australia!
- 4. Session OverviewDiscussion of various Encryption OptionsCell-level EncryptionFile-Level Encryption (Bitlocker, EFS)Transparent Data EncryptionActive Directory Rights Management Services (AD RMS)TDE OverviewTDE for SharePoint Content DatabasesDemo of TDE(c) 2011 Microsoft. All rights reserved.
- 5. The problem? Unencrypted DataData Stored Unencrypted on a SQL ServerStolen Backups or Administrators of a Server can have access to all SharePoint ContentGovernmental and Industry Regulation Restricts Storage of Content Unencrypted(c) 2011 Microsoft. All rights reserved.
- 6. The Solution? Data EncryptionMany Options, same conceptFiles are stored in unreadable format, using PKI based encryptionSome Options require Application Support (i.e. Cell-level Encryption), which SharePoint doesn't support(c) 2011 Microsoft. All rights reserved.
- 7. Cell Level EncryptionAvailable with either SQL 2005 or SQL 2008Encrypts individual cells in a databaseRequires a password to access the cellRequires that columns be changed from their original data type to varbinaryAdvantage is that only specific info is encryptedDisadvantage is that you cannot use this for SharePoint Databases(c) 2011 Microsoft. All rights reserved.
- 8. File-level EncryptionTwo forms, older Encrypting File System (EFS) and BitlockerEFS encrypts data at the File LevelBitlocker encrypts data at the Volume LevelBitlocker Encrypts every file on the disk, not just database filesCould be used together with TDE(c) 2011 Microsoft. All rights reserved.
- 9. File-level EncryptionBiggest drawback: Heavy Performance HitNo support for prefetch or asynchrouous I/OI/O operations can become bottlenecked and serializedDoesn't protect the volume when accessed across the networkOnly really feasible in very small workgroup scenarios, rarely applies to SharePoint(c) 2011 Microsoft. All rights reserved.
- 10. Active Directory Rights Management Services (AD RMS)Encrypts content upon access and removal, not in storageProvides Rights Protection, which can expire a document or limit the ability to:PrintCut/PasteProgrammatically accessSave As a different fileCan be used with TDE(c) 2011 Microsoft. All rights reserved.
- 11. SQL Transparent Data Encryption (TDE)New in SQL Server 2008Only Available with the Enterprise EditionSeamless Encryption of Individual DatabasesTransparent to Applications, including SharePoint(c) 2011 Microsoft. All rights reserved.
- 12. SQL Transparent Data Encryption (TDE)When enabled, encrypts Database, log file, any info written to TempDB, snapshots, backups, and Mirrored DB instance, if applicableOperates at the I/O level through the buffer pool, so any data written into the MDF is encryptedCan be selectively enabled on specific databasesBackups cannot be restored to other servers without a copy of the private key, stolen MDF files are worthless to the thiefEasier Administration, Minimal server resources required (3%-5% performance hit)(c) 2011 Microsoft. All rights reserved.
- 13. Potential TDE Limitations Does not encrypt the Communication Channel (IPSec can be added)Does not protect data in memory (DBAs could access)Cannot take advantage of SQL 2008 Backup CompressionTempDB is encrypted for the entire instance, even if only one DB is enabled for TDE, which can have a peprformance effect for other DBsReplication or FILESTREAM data is not encrypted when TDE is enabled (i.e. RBS BLOBs not encrypted)(c) 2011 Microsoft. All rights reserved.
- 14. How TDE WorksWindows Data Protection API (DPAPI) at root of encryption key hierarchyDPAPI creates and protects Service Master Key (SMK) during SQL SetupSMK used to protect Database Master Key (DMK)DMK used to protect Certificate and Asymmetric KeyCertificate and Asymmetric Key used to create Database Encryption Key (DEK)(c) 2011 Microsoft. All rights reserved.
- 15. (c) 2011 Microsoft. All rights reserved.Key and Cert HierarchyDPAPI Encrypts SMKSMK encrypts the DMK for master DB Service Master Key Data Protection API (DPAPI) Database Master KeyCertificate Database Encryption KeySQL Instance LevelWindows OS Levelmaster DB Levelmaster DB LevelContent DB LevelDMK creates Cert in master DBCertificate Encrypts DEK in Content DBDEK used to encrypt Content DB
- 16. High Level Steps to Enable TDECreate the DMKCreate the TDE CertBackup the TDE CertCreate the DEKEncrypt the DBMonitor Progress(c) 2011 Microsoft. All rights reserved.
- 17. Creating the Database Master Key (DMK)Symmetric key used to protect private keys and asymmetric keysProtected itself by Service Master Key (SMK), which is created by SQL Server setupUse syntax as follows:USE master;GOCREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC';GO(c) 2011 Microsoft. All rights reserved.
- 18. Create Certificate Protected by DMKProtected by the DMKUsed to protect the database encryption keyUse syntax as follows:USE master;GOCREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate' ;GO(c) 2011 Microsoft. All rights reserved.
- 19. Backup Master Key and CertWithout a backup, data can be lostBackup creates two files, the Cert backup and the Private Key FileUse following syntax:USE master;GOBACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'c:\Backup\CompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'c:\Backup\CompanyABCtdeDECert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' );GO(c) 2011 Microsoft. All rights reserved.
- 20. Create a Database Encryption Key (DEK)DEK is used to encrypt specific databaseOne created for each databaseEncryption method can be chosen for each DEKUse following syntax:USE SharePointContentDB;GOCREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCertGO(c) 2011 Microsoft. All rights reserved.
- 21. Enable TDEData encryption will begin after running commandSize of DB will determine time it will take, can be lengthy and could cause user blockingUse following syntax:USE SharePointContentDBGOALTER DATABASE SharePointContentDBSET ENCRYPTION ONGO(c) 2011 Microsoft. All rights reserved.
- 22. Monitor TDE ProgressState is ReturnedState of 2 = Encryption BegunState of 3 = Encryption CompleteUse following syntax:USE SharePointContentDBGOSELECT *FROM sys.dm_database_encryption_keysWHERE encryption_state = 3;GO(c) 2011 Microsoft. All rights reserved.
- 23. Restoring Encrypted DB to Another ServerStep 1: Create new Master Key on Target Server (Does not need to match source master key)Step 2: Backup Cert and Private Key from SourceStep 3: Restore Cert and Private Key onto Target (No need to export the DEK as it is part of the backup)USE master;GOCREATE CERTIFICATE CompanyABCtdeCertFROM FILE = 'C:\Restore\CompanyABCtdeCert.cer'WITH PRIVATE KEY (FILE = 'C:\Restore\CompanyABCtdeCert.pvk', DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!')Step 4: Restore DB(c) 2011 Microsoft. All rights reserved.
- 24. DemoEncrypting SharePoint Content DBs using Transparent Data Encryption
- 25. Complete an Evaluation online and enter to WIN these prizes!<Prizes & Process TBC>(c) 2011 Microsoft. All rights reserved.
- 26. Thanks for attending!Questions?Michael NoelTwitter: @MichaelTNoelwww.cco.comSlides: slideshare.net/michaeltnoel
- 27. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.(c) 2011 Microsoft. All rights reserved.
- 28. www.msteched.com/AustraliaSessions On-Demand & Communitywww.microsoft.com/australia/learningMicrosoft Certification & Training Resourceshttp:// technet.microsoft.com/en-auResources for IT Professionalshttp://msdn.microsoft.com/en-auResources for DevelopersResources(c) 2011 Microsoft. All rights reserved.