Microsoft Virtual Labs
Transparent Data Encryption
�Protecting Data with Transparent Data Encryption
Table of Contents
Transparent Data Encryption ..................................................................................................... 1
Exercise 1 Copying an Unencrypted Database ..............................................................................................................2 Exercise 2 Implementing Transparent Data Encryption ................................................................................................4 Exercise 3 Attempting to Copy an Encrypted Database ................................................................................................6
�Protecting Data with Transparent Data Encryption
Transparent Data Encryption
Objectives
After completing this lab, you will be able to: Demonstrate how unencrypted data can be stolen by restoring a backup file Encrypt sensitive data by using Transparent Data Encryption Demonstrate that an encrypted database cannot be stolen by restoring a backup file
Scenario
Adventure Works Cycles stores sensitive data in its databases. You regularly back up this data and store the backup files offsite. Concerns have been raised about the security of the data both onsite and offsite. You require a security solution that will protect sensitive data from the possible theft of database or backup media. However, this solution must not require significant client application redevelopment.
Prerequisites
Before working on this lab, you must have: Experience of backing up and restoring Microsoft SQL Server databases
Estimated Time to Complete This Lab Computers used in this Lab
45Minutes
SQL2008
The password for the Student account on all computers in this lab is: pa$$w0rd
Page 1 of 6
�Protecting Data with Transparent Data Encryption
Exercise 1 Copying an Unencrypted Database
Scenario
In this exercise, you will back up a database and restore it to another instance to verify that stolen backup files can be used to access data. Backups are essential to provide disaster recovery and archive storage. If backup media is stolen, it can be used to restore a database on a remote system and security can be compromised. Tasks Complete the following tasks on: SQL2008 1. Back up the AdventureWorks database Detailed Steps a. Start SQL Server Management Studio from the Microsoft SQL Server 2008 program group on the Start menu. b. In the Connect to Server dialog box, click Connect after verifying the following settings: c. Server type: Database Engine Server name: (local) Authentication: Windows Authentication
In Object Explorer, expand Databases, right-click AdventureWorks, point to Tasks, and then click Back Up.
d.
In the Destination section, click Remove to remove any existing backup destinations.
e.
Click Add, type C:\SQLHOLS\TDE\Starter\AdventureWorks.bak and then click OK.
f.
Click OK to back up the database, and then click OK when the backup operation has completed successfully. (If you do not see the OK button, maximize the back up database window)
a. 2. Restore the AdventureWorks database on another instance of SQL Server b.
In Object Explorer, click Connect, and then click Database Engine. In the Connect to Server dialog box, click Connect after entering the following settings: Server type: Database Engine Server name: (local)\Named Authentication: Windows Authentication
c.
On the (local)\Named connection, right-click Databases, and then click Restore Database.
d. e. f.
In the To database box, type AdventureWorksNonEncrypt Select From device, and then click the ellipses () button. Click Add, navigate to C:\SQLHOLS\TDE\Starter, double-click
Page 2 of 6
�Protecting Data with Transparent Data Encryption Tasks Detailed Steps AdventureWorks.bak, and then, in the Specify Backup dialog box, click OK. g. h. In the Restore column, select the check box. In the Select a page list, click the Options page, and then select the Overwrite the existing database check box. i. In the Restore As column, change the file destinations as shown in the following table.(If you do not see the entries in restore as, go to the desktop in the virtual lab environment, and change the resolution to 1024x768) Original File Name Restore As
AdventureWorks_Data C:\SQLHOLS\TDE\Starter\AdventureWorksNonEncrypt.mdf AdventureWorks_Log C:\SQLHOLS\TDE\Starter\AdventureWorksNonEncrypt_log.ldf j. Click OK to restore the database, and then click OK when the restore operation has completed successfully. 3. Access the copied data b. a. Click New Query. If prompted, connect to the (local)\Named database engine instance. Type the following code, and then click Execute.
USE AdventureWorksNonEncrypt GO SELECT * FROM HumanResources.Employee
Note: You can copy this code from C:\SQLHOLS\TDE\Solution\AccessData.sql. c. d. Confirm that the data is accessible. Keep SQL Server Management Studio open for the next exercise.
Note: Stolen backup media is a security risk because data can be restored and accessed on a remote system.
Page 3 of 6
�Protecting Data with Transparent Data Encryption
Exercise 2 Implementing Transparent Data Encryption
Scenario
In this exercise, you will encrypt a database and access it from a client application to verify that encryption is transparent to client applications. Data encryption prevents the risks demonstrated in the previous exercise. Unfortunately, client applications that use traditional data encryption must decrypt the data before they can use it. This causes increased complexity for applications that use the encrypted data and slows development time. Transparent data encryption performs all encryption and decryption on the database system. This provides protection and does not require any additional work for application developers. Tasks Complete the following tasks on: SQL Server 2008 HOLs b. 1. Configure Transparent Data Encryption c. Add Transact-SQL code to create a certificate with the name of ServerCertificate and the subject Server level certificate. d. Add Transact-SQL code to create a database encryption key that uses the AES_128 algorithm and is encrypted with the server certificate ServerCertificate. e. Add Transact-SQL code to alter the AdventureWorks database and set encryption on. Note: To see the completed code, open C:\SQLHOLS\TDE\Solution\Encrypt.sql. f. Execute the Transact-SQL query. Detailed Steps a. In SQL Server Management Studio, in Object Explorer, select the connection to the (local) database engine instance, and then click New Query. If prompted, connect to the (local) database server instance. In the query editor window, type Transact-SQL code to create a master key with the password Pa$$w0rd.
g. Keep SQL Server Management Studio open for the next exercise.
Page 4 of 6
�Protecting Data with Transparent Data Encryption Tasks 2. Access the encrypted database from a client application c. d. Detailed Steps a. b. Start Microsoft Office Excel 2007. On the Data tab of the ribbon, in the Get External Data section, click From Other Sources, and then click From SQL Server. In the Server name box, type (local) and then click Next. In the Select the database that contains the data you want drop-down box, select AdventureWorks. e. f. In the Connect to a specific table list, click Employee, and then click Next. Click Finish, and then click OK to import the data.
Note: Notice that SQL Server has transparently decrypted the data without any changes to the client application. g. Close Excel without saving changes.
Note: Transparent data encryption requires no configuration or programming on the client application.
Page 5 of 6
�Protecting Data with Transparent Data Encryption
Exercise 3 Attempting to Copy an Encrypted Database
Scenario
In this exercise, you will back up an encrypted database and attempt to restore it to another instance to verify that stolen encrypted backup files cannot be used to access data. Backup media is often stored offsite and so it is essential that this media cannot be used to access sensitive data. Tasks Complete the following tasks on: SQL2008 1. Back up the encrypted AdventureWorks database c. Detailed Steps a. In SQL Server Management Studio, in Object Explorer, in the connection to the (local) database engine instance, under the Databases folder, right-click AdventureWorks, point to Tasks, and then click Back Up. b. In the Destination section, click Remove to remove any existing backup destinations. Click Add, type C:\SQLHOLS\TDE\Starter\AdventureWorksEncrypt.bak and then click OK. d. Click OK to back up the database, and then click OK when the backup operation has completed successfully. 2. Attempt to restore the encrypted backup b. c. d. a. In Object Explorer, right-click the Databases folder for the (local)\Named database engine connection, and then click Restore Database. In the To database box, type AdventureWorksEncrypt Select From device, and then click the ellipses () button. Click Add, navigate to C:\SQLHOLS\TDE\Starter, double-click AdventureWorksEncrypt.bak, and then click OK. e. f. In the Restore column, select the check box. In the Select a page list, click the Options page, and note the error message that is displayed. g. Notice that the restore operation fails because the correct server certificate cannot be found and the encrypted data is inaccessible. Then click OK on the error message, and cancel the restore operation. h. Close SQL Server Management Studio. Do not save your files if prompted.
Note: Although the encryption is completely transparent to client applications, the data is encrypted and backups cannot be restored to other servers without the server master key.
Page 6 of 6
