| By :
Dbatag Dbatag
Transparent data encryption (TDE) is a new encryption feature introduced in Microsoft SQL Server 2008. It is designed to provide protection for the entire database at rest without affecting existing applications. Implementing encryption in a database traditionally involves complicated application changes such as modifying table schemas, removing functionality, and significant performance degradations. For example, to use encryption in Microsoft SQL Server 2005, the column data type must be changed to varbinary; ranged and equality searches are not allowed; and the application must call built-ins (or stored procedures or views that automatically use these built-ins) to handle encryption and decryption, all of which slow query performance. These issues are not unique to SQL Server; other database management systems face similar limitations. Custom schemes are often used to resolve equality searches and ranged searches often cannot be used at all. Even basic database elements such as creating an index or using foreign keys often do not work with cell-level or column-level encryption schemes because the use of these features inherently leak information. TDE solves these problems by simply encrypting everything. Thus, all data types, keys, indexes, and so on can be used to their full potential without sacrificing security or leaking information on the disk. While cell-level encryption cannot offer these benefits, two Windows® features, Encrypting File System (EFS) and BitLocker? Drive Encryption, are often used for the same reasons as TDE?they provide protection on a similar scale and are transparent to the user. Extensible Key Management (EKM) is another new feature in SQL Server 2008. It enables parts of the cryptographic key hierarchy to be managed by an external source such as Hardware Security Module (HSM), referred to as a cryptographic provider. Encryption and decryption operations using these keys are handled by the cryptographic provider. This allows for flexibility and choice in cryptographic providers as well as common key management. TDE supports asymmetric keys that are provisioned by EKM. No other form of asymmetric key is supported by TDE and database certificates cannot currently be provisioned through EKM. EKM is supported for cell-level encryption through symmetric and asymmetric keys. It is highly recommended that you use EKM with both database- and cell-level encryption for more comprehensive key management and hardware-based cryptography (if available through the HSM). Extensible Key Management (EKM) enables you to manage your encryption keys via an external provider. Extensible Key Management enables third-party vendors to implement solutions that store keys in a device such as a smart card, USB device, or a hardware security module (HSM). Encryption is the process of obfuscating data by the use of a key or password. This can make the data useless without the corresponding decryption key or password. Introduction to Extensible Key Management : Some high-security databases use thousands of keys, and you must employ a system to store, retire, and regenerate these keys. Furthermore, you should store these keys separately from the data to improve security. SQL Server 2008 provides Extensible Key Management, which exposes encryption functionality for use by third-party vendors. These solutions work seamlessly with databases in SQL Server 2005 and SQL Server 2008, and provide enterprise-wide, dedicated key management. This moves the key-management workload from SQL Server to a dedicated key-management system. Extensible Key Management enables key storage in a device such as a smart card or USB drive. Extensible Key Management in SQL Server 2008 also supports the use of HSMs to provide the physical separation of keys from data. This improves security because the data remains protected even if it is stolen, because the keys are in a separate physical location. Enabling Extensible Key Management : Extensible Key Management is switched off by default. You can use the sp_configure stored procedure to enable it. The following code example shows how to enable Extensible Key Management. sp_configure 'show advanced', 1 GO RECONFIGURE GO sp_configure 'EKM provider enabled', 1 GO RECONFIGURE GO To summarize, SQL Server 2008 Extensible Key Management provides the following benefits: An additional authorization check that enables separation of duties between database administration and key management Improved performance through hardware-based encryption/decryption rather than software-based encryption/decryption External encryption key generation Physical separation of data and keys Encryption key retrieval External encryption key retention and encryption key rotation Easier encryption key recovery Manageable encryption key distribution Secure encryption key disposal
|
![[Valid RSS feed]](http://www.articlesbacklink.com/images/icon_Rss.png "XML Feed For RSS"){kind=icon}
Category Rss Feed
Print This Article
Add To Favorites
