Skip to main content
Delphix

Setting Up SQL Server Transparent Data Encryption (TDE) For Use With The Delphix Engine (KBA1401)

  1. Last updated
  2. Save as PDF
 

 

KBA

KBA#1401

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Date Release
Apr 13, 2023 10.0.0.0
Mar 13, 2023 | Mar 20, 2023 9.0.0.0 | 9.0.0.1
Feb 13, 2023 8.0.0.0
Jan 12, 2023 7.0.0.0
Releases Prior to 2023
Major Release All Sub Releases
6.0

6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0, 6.0.16.0, 6.0.17.0, 6.0.17.1, 6.0.17.2

5.3

 5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

Summary

The Delphix Engine can be used with SQL Server TDE dSources and VDBs. TDE itself is transparent to the Delphix Engine when set up correctly. If you experience problems with TDE using the Delphix Engine, then it is likely that non Delphix managed database restore operations for TDE databases to the same Staging or Target hosts would also fail.

This article explains how SQL Server TDE works and describes the SQL Server server set up steps for Source, Staging, and Target hosts in a way that shortcuts some of the more complex official SQL Server documentation. The procedures here provide the most basic and standard set up for TDE. Many variations are possible which are usable but out of scope.

Generic Frequently Asked Questions 

  • Does the Delphix Engine support SQL Server TDE?
    Yes. On all versions. It is totally transparent to the Delphix Engine.
     
  • Are there required Delphix Engine setup steps for TDE?
    No.
     
  • Are there required Staging and Target host setup steps for TDE?
    Yes. However these are not Delphix specific. They need to be done on any host where an encrypted database will be restored to. That happens to include Staging and Target host SQL Server instances.
     
  • Is there an impact on the Delphix Engine when using TDE?
    Yes. There is an impact on the compression ratio for storage of databases that use TDE. Therefore, a TDE dSource or VDB will use more storage on the Delphix Engine than a non encrypted database. To understand the impact of this, you should perform a test with a database of a similar size and frequency of transaction log change to do some forecasting.

Background 

Setting up TDE is easy, but managing it can be complex. While this article is useful for basic proof-of-concept set up and lab testing, customers should refer to official SQL Server documentation and refer TDE issues directly to Microsoft. 

It helps to understand some of some of the components of a TDE keystore and what they do.

  • Server/Instance Master Key (SMK)
    You do not need to create this. It is created automatically on installation and is unique to the instance. This is symmetric in that the same key does both encryption and decryption. So there is no key/certificate pair.
     
  • Database Master Key (DMK)
    Is a private decryption key for the database/s which is itself encrypted by by the SMK. This belongs to the "master" database. You need to create this. This key itself is encrypted by the SMK.
     
  • Server Certificate
    Several mechanisms are available to encrypt the Database Encryption Key (DEK). This most commonly uses a Server Certificate, though Extensible Key Management (EKM) modules and other configurations are possible (see Microsoft's Encryption Hierarchy document).

    Server Certificates are stored in the SQL Server instance, and are encrypted using the DMK. Server Certificates can be changed without completely re-encrypting the database.
     
  • Database Encryption Key (DEK)
    This is a symmetric key that is part of each encrypted database, and is used to encrypt and decrypt the data in that database. It goes where the database goes and is included in the backups, but it cannot be decrypted without the Server Certificate (or other mechanism) that was used to protect it.

Functional Flow 

  1. Reads and writes to the database are decrypted or encrypted using the Database Encryption Key (DEK).
  2. When opening the database, the SQL Server instance can only decrypt the DEK if it has the Server Certificate (or other method) that was used to encrypt it.
  3. The SQL Server instance encrypts Server Certificates using the Database Master Key (DMK) and Server Master Key (SMK), to ensure that they cannot be tampered with.
  4. Because the DEK is encrypted, a database cannot be copied to another SQL Server instance without additional information. The Server Certificate or other protection mechanism must be imported to the new SQL Server instance before the DEK can be decrypted and the database opened.

Setting Up TDE on a Source Database

  1. Create the Database Master Key (DMK)
USE master;  
GO  
CREATE MASTER KEY ENCRYPTION BY PASSWORD='<PASSWORD_1>';  
GO
  1. Create the Server Certificate

NOTE: You could create multiple Server Certificates and use different ones for different databases. For simplicity this is not recommended for a lab environment.

CREATE CERTIFICATE MyServerCert WITH SUBJECT='My Server Certificate';  
GO
  1. Create the Database Encryption Key
    (this key will be embedded in the database, but will be encrypted by the Server Certificate)
USE <DATABASE_NAME>;  
GO  
CREATE DATABASE ENCRYPTION KEY  
WITH ALGORITHM = AES_128  
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;  
GO
  1. Encrypt the database
ALTER DATABASE <DATABASE_NAME>  
SET ENCRYPTION ON;  
GO
  1. Monitor the progress of database encryption, and wait for the encryption_state value to reach 3 (ENCRYPTED). In SQL Server 2019 and later, the encryption_state_desc column can be used for a more meaningful description.
SELECT DB_NAME(database_id) AS database_name, encryptor_thumbprint, encryption_state FROM [sys].[dm_database_encryption_keys];
  1. Export the Server Certificate so that it can be transferred to another server
USE master;
GO
BACKUP CERTIFICATE MyServerCert TO FILE='<CERT_BACKUP_PATH>' WITH PRIVATE KEY (FILE='<KEY_BACKUP_PATH>', ENCRYPTION BY PASSWORD='<PASSWORD_2>');
GO

Setting Up TDE on Staging/Target Instances 

 

Note

Note:

This must be done before attempting to link a dSource or provision a VDB.

1. Copy the exported certificate and key file to every Staging or Target host that could potentially be used for the TDE database.

2. Create a new Database Master Key (DMK) for each SQL Server instance, if one has not already been created.

USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD='<PASSWORD_3>';
GO

3. Import the Server Certificate that was exported from the Source Server.

USE master;
GO
CREATE CERTIFICATE MyServerCert FROM FILE='<CERT_BACKUP_PATH>' WITH PRIVATE KEY (FILE='<KEY_BACKUP_PATH>', DECRYPTION BY PASSWORD='<PASSWORD_2>');
GO

4. Delete the exported Server Certificate, as it is now stored and secured by each SQL Server instance.

What happens if you skip this step? 

If the Source Certificate is not properly restored on the staging or target instances, SQL Server will throw an error that will be passed back the Delphix Engine UI. You may see the following error message:

Changed database context to 'master'.
RESTORE DATABASE [VmyDatabase_54F] WITH RECOVERY;
Msg 33111, Level 16, State 3, Server 10-43-12-70, Line 1
Cannot find server certificate with thumbprint '0x4AD40E8A82A54842F39E73FFEE12CE995114B034'.
Msg 3167, Level 16, State 1, Server 10-43-12-70, Line 1
RESTORE could not start database 'VmyDatabase_54F'.
Msg 3013, Level 16, State 1, Server 10-43-12-70, Line 1
RESTORE DATABASE is terminating abnormally.
Msg 50000, Level 11, State 127, Server 10-43-12-70, Line 3
error_restoring_database
die : Error: recover_vdb failed
At C:\Program Files\Delphix\DelphixConnector\564dfc5c-3c2f-d5d9-e381-7230a6260b
e6-vdb-2\SCRIPT\Provision.ps1:23 char:12
+         die <<<<  "$($args[0])"
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep 
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio 
   n,die

Getting TDE Related Information From SQL Server 

TDE configurations are stored in the master database. Therefore, you will need permissions to query master directly.

Listing databases that use TDE 

USE master;
GO
SELECT name,
    database_id,
    is_master_key_encrypted_by_server FROM [sys].[databases] 
WHERE is_encrypted=1;
GO

Listing certificates on the SQL Server instance 

USE master;
GO
select * FROM [sys].[certificates];
GO

Listing database encryption states 

USE master;
GO
SELECT * FROM [sys].[dm_database_encryption_keys];
GO

Getting a consolidated list of databases, with used certificates, keys, and validity periods 

USE master;
GO
SELECT a.name,
    a.database_id,
    b.encryption_state,
    b.percent_complete,
    b.key_algorithm,
    b.key_length,
    c.name as DEK,
    c.issuer_name,
    c.cert_serial_number,
    c.subject,
    c.start_date,
    c.expiry_date FROM [sys].[databases] a 
JOIN [sys].[dm_database_encryption_keys] b ON (a.database_id=b.database_id) 
JOIN [sys].[certificates] c ON (b.encryptor_thumbprint=c.thumbprint) 
WHERE a.is_encrypted=1;
GO

The encryption_state is a enumerated value that indicates the current real state of the database, not just whether it is designated as using TDE or not. Some states have transitions which are noted by percent_complete. Where not applicable, percent_complete will be "0". The values are as follows:

0 Not encrypted at all and no key assigned
1 Unencrypted
2 Encryption in progress
3 Encrypted
4 Key change in progress
5 Decryption in progress
6 Decryption being updated with new keys

Rotating Server Certificates

In some environments, it will not be permitted to copy the Server Certificate from the Source SQL Server instance to non-production SQL Server instances.

When this happens, you can create an intermediate VDB in a secure environment, and use this to change the Server Certificate used by that VDB.

dSource [SourceCert installed on source and staging instances]
\_ Intermediate VDB [SourceCert and NonProdCert installed on instance]
  \_ Non-Prod VDB [NonProdCert installed on instance]

Each time the intermediate VDB is Provisioned or Refreshed, its encryption key (DEK) will be secured by the Source Certificate.

To rotate the key on the intermediate VDB each time it is Provisioned or Refreshed, a Configure Clone hook such as the following query can be used:

$ErrorActionPreference = "Stop";

Invoke-Sqlcmd -Database "$env:VDB_DATABASE_NAME" -Query "ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER CERTIFICATE NonProdCert;" -ServerInstance "$env:VDB_INSTANCE_HOST,$env:VDB_INSTANCE_PORT"

Alternatively, if not running a hook, run the ALTER command manually on the SQL Server instance, using the VDB, then run a snapshot on the VDB upon completion. Use this snapshot to provision/refresh the Non-Production VDB.

For more information on this SQL Server command, see Microsoft's documentation on ALTER DATABASE ENCRYPTION KEY. For more information on Hook Operations for VDBs, see our document Hooks for SQL Server.

Once the Server Certificate has been changed in this way, snapshots of this VDB can be provisioned to servers with only the NonProdCert Server Certificate installed. Note that the underlying Database Encryption Key remains unchanged.

To validate that the certificate has been changed, you can compare the thumbprints in the [sys].[certificates] and [sys.dm_database_encryption_keys] views.

 

  • Due to DLPX-86195Is_encrypted property is not true after provisioning VDBs from TDE enabled SQL Server Dsource
  • The VDB is_encrypted flag may be 0 and the VDB may not list in the consolidated list of encrypted databases. However, the VDB will be encrypted but if monitoring VDBs for such a flag a false negative will be returned.
  • If this occurs, run the command to turn off encryption:
ALTER DATABASE <DATABASE_NAME>  
SET ENCRYPTION OFF;  
GO
  • Then turn it on again - Be forewarned - on a large VDB this might take some time to "re-encrypt".
ALTER DATABASE <DATABASE_NAME>  
SET ENCRYPTION ON;  
GO

 

 

Related Articles

 

Privacy Policy Terms of Use Legal About
© 2024 Delphix Corp