SQL Server Transparent Data encryption

I have implemented TDE for the Database and Column Level Encryption for Sensitive data in Tables. But, the Porblem is the data is entered through an front end application how could i encrypt this data when it is inserted from the Front end. And how to decry-pt
this data for the users when it is selected.
Your suggestions are most valuable.
Reagrds
Rehaan Khan
RehaanKhan. M

Let me start with a solution that may have been overlooked, but it is good to make sure we cover it. Have you considered using column-level permissions? It may not be a complete solution for your particular scenario if you need to give access to the column
for other reasons (after all, the group you are trying to restrict is probably developing applications on top of the column storing sensitive data) or if the developer group has permission to create objects that would render the sensitive data subject to ownership
chains. For more information on column-permissions look at
http://msdn.microsoft.com/en-us/library/ms186915.aspx
Assuming permissions alone will not solve the problem. By using encryption you should be able to limit access to the sensitive data to the developers, but it will also require some changes to your schema & application. TDE (Transparent Data Encryption)
will not help you in this scenario since you need to restrict access to the data and restricting access to the column is not sufficient.
The following links may be useful to get you started with SQL Encryption capabilities:
SQL Server Encryption (http://msdn.microsoft.com/en-us/library/bb510663.aspx)
Data Encryption in SQL Server (http://msdn.microsoft.com/en-us/library/bb669072(v=vs.110).aspx)
Encrypt a Column of data (http://msdn.microsoft.com/en-us/library/ms179331.aspx)
Cryptographic Functions (T-SQL) (http://msdn.microsoft.com/en-us/library/ms173744.aspx)
Older articles, but they may still be quite useful:
Indexing encrypted Data (http://blogs.msdn.com/b/raulga/archive/2006/03/11/549754.aspx)
SQL Server 2005: searching encrypted data (http://blogs.msdn.com/b/lcris/archive/2005/12/22/506931.aspx)
One recommendation may be to encrypt the data using an AES key, and protect the key using one or more certificates (I would recommend using a separate certificate per individual if possible), making sure that only authorized people have access to the keys.
Anyone else with access to the column, but not to the keys would not be able to decrypt the data.
BTW. I would also recommend using SQL Auditing (http://msdn.microsoft.com/en-us/library/cc280386.aspx) in order to keep honest people honest, by monitoring access to the keys & to the
sensitive data.
I hope this information helps,
-Raul Garcia
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights.

Similar Messages

Listener Start Problem with TDE (Transparent Data Encryption)

i am testing Transparent Data Encryption in Oracle 10g by using the following link
http://oracle-base.com/articles/10g/TransparentDataEncryption_10gR2.php
Before Implementing the TDE listener was running fine but after implementation of TDE the listener was unable to start
Please check the steps which i follow
Step1-
specify the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file, now SQLNET.ora file looks like the following
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=D:\oracle\product\10.2.0\wallet\)))
please check the contents of listener.ora file,i didn't make any configuration changes for listener before or after implementation of TDE
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = D:\oracle\product\10.2.0\db_1)
(PROGRAM = extproc)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = shakeel-pc.lhr.inov8.com.pk)(PORT = 1521))
Step2-
CONN sys/password AS SYSDBA
ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "myPassword";
TDE implemented successfuly implemented.
But when i try to stop/start listener
C:\>lsnrctl status
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:30
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
ction
Start Date 05-JUN-2008 22:40:14
Uptime 0 days 7 hr. 4 min. 16 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File D:\oracle\product\10.2.0\db_1\network\admin\listener.o
ra
Listener Log File D:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=shakeel-pc.lhr.inov8.com.pk)(PORT=15
21)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "orcl" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orcl_XPT" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
The command completed successfully
C:\>lsnrctl stop
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:35
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
The command completed successfully
C:\>lsnrctl start
[i]LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:40
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting tnslsnr: please wait...
TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
System parameter file is D:\oracle\product\10.2.0\db_1\network\admin\listener.or
a
Log messages written to D:\oracle\product\10.2.0\db_1\network\log\listener.log
Error listening on: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PARTIAL=yes)(QUEUESI
ZE=1))
No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\E
XTPROC1ipc)))
TNS-12560: TNS:protocol adapter error
TNS-00583: Valid node checking: unable to parse configuration parameters
Listener failed to start. See the error message(s) above...
To start the listener i have to close wallet as
1- SQL>conn sys as sysdba
ALTER SYSTEM SET WALLET CLOSE;
2- Replace the SQLNET.ora file as previous ,now SQLNET.ora contains
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
Now if i start the listener then the listener was started succesfuly
Please suggest why listener is not being start with TDE?

I have the same problem. I'm testing TDE using Oracle 11gR1. After setting the parameter encryption_wallet_location and restart the listener, the listener failed to start. The error is exactly the same
TNS-12560: TNS:protocol adapter error
TNS-00583: Valid node checking: unable to parse configuration parameters
By removing the parameter encryption_wallet_location, the listner can be started successfully.
Anyone can help?

Transparent Data Encryption Configuration

Hi,
I want to configure Transparent Data Encryption on a Database which is protected with Database Vault.
Is there any document which talks about the integration of Database Vault with Transparent Data Encryption.
I want to create a common security administrator user (other than sys/system users) for Transparent Data Encryption configuration.
If i create a new administrator from Enterprise Manager console i am getting the following error:
SQL Error ORA-47401: Realm violation for grant system privilege on SELECT ANY DICTIONARY. ORA-06512: at "SYSMAN.MGMT_USER", line 9316 ORA-06512
How to avoid this error.
Any pointers on this is appreciated.
Thanks & regards,
Srikanth

Turning off DBVault is not needed to turn on TDE ... the DB user who wants to manage the DB through Enterprise Manager, needs to have the SELECT ANY DICTIONARY privilege (I think I remember this is done by logging into EM (not DVA) as DBV_OWNER, or DV_ACCT_MNGR if you have configured one).
If then the creation of the wallet fails, make the user an OWNER of the DATA DICTIONARY realm in DBVault. Note that the directory that you plan to use to store the wallet needs to exist before you create the wallet and master key for TDE.
Peter
Edited by: Peter Wahl on 03.07.2010 02:20

Transparent Data Encryption vs. OS level encryption

Can someone help me by posting few URLs to read about Oracle's Transparent Data Encryption vs. OS Level Encryption (Win 2003 server)? We are trying to choose an option and go with it. I'm looking for a comparative analysis doc (Oracle 10.2.0.2 on MS Win 2003 Server), or if you can give me pros and cons for each of those options.
Many thanks in advance,
Dejan

http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html

Transparency Data Encryption V.S. DBMS_CRYPTO

Which provides more security between Transparency Data Encryption V.S. DBMS_CRYPTO?

The security protection is, for all essential purposes, identical.
TDE automates encryption at the column level (10g) and dbms_crypto is used by PL/SQL.

Connect to MS SQL Server 2000 data warehouse

Hi,
I use a MS SQL Server 2000 database for my web application where I use JSP. I suppose to create data warehouse using MS SQL Server's Data Transformation Service. But I don't know it's possible to connect to a MS SQL Server's data warehouse using JSP. So I want to know is it possible to connect to data warehouse using JSP and if it is how to do it? Thank you.

You can certainly connect to M$ SQL Server using the JDBC driver:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4f8f2f01-1ed7-4c4d-8f7b-3d47969e66ae&displaylang=en
Connecting to a data warehouse is no different from any relational database. (My understanding is that a data warehouse usually means a star schema implemented in a relational database.) This will connect you.
If you're not familiar with JDBC, you might need the tutorial:
http://java.sun.com/docs/books/tutorial/jdbc/

Writing a stored procedure to import SQL Server table data into a Oracle table

Hello,
As a new DBA I have been tasked with writing a stored procedure to import SQL Server table data into an Oracle table. I have been given many suggestions on how to do it from SQL Server but I I just need to write a stored procedure to run it from the Oracle side. Suggestions/guidance on where to start would be greatly appreciated! Thank you!
I started to write it based on what I have but I know this is not correct :/
# Here is the select statement for the data source in SQL Server...
SELECT COMPANY
,CUSTOMER
,TRANS_TYPE
,INVOICE
,TRANS_DATE
,STATUS
,TRAN_AMT
,CREDIT_AMT
,APPLD_AMT
,ADJ_AMT
,TRANS_USER1
,PROCESS_LEVEL
,DESCRIPTION
,DUE_DATE
,OUR_DATE
,OUR_TIME
,PROCESS_FLAG
,ERROR_DESCRIPTION
FROM data_source_table_name
#It loads data into the table in Oracle....
Insert into oracle_destination_table_name (
COMPANY,
CUSTOMER,
TRANS_TYPE,
INVOICE,
TRANS_DATE,
STATUS,
TRANS_AMT,
CREDIT_AMT,
APPLD_AMT,
ADJ_AMT,
TRANS_USER1,
PROCESS_LEVEL,
DESCRIPTION,
DUE_DATE,
OUR_DATE,
OUR_TIME,
PROCESS_FLAG,
ERROR_DESCRIPTION)
END;

CREATE TABLE statements would have been better as MS-SQL and Oracle don't have the same data types.
OUR_DATE, OUR_TIME will (most likely) be ONE column in Oracle.
DATABASE LINK
Personally, I'd just load the data over a database link:
insert into oracle_destination_table_name ( <column list> )
select ... <transform data here>
from data_source_table@mssql_db_link
As far as creating the database link from Oracle to MS-SQL ... that is for somebody else to answer.
(most likely you'll need to use an ODBC driver)
EXTERNAL TABLE
If the data from MS-SQL is in a CSV file, just use and external table.
same concept:
insert into oracle_destination_table_name ( <column list> )
select ... <transform data here>
from data_source_external_table
MK

How to migrate MS SQL Server OLAP data to Oracle 10g OLAP

Hi,
Anyone has any idea on whether migration workbench can migrate my MS SQL Server OLAP data to Oracle 10g (with OLAP option) ?
Best Regards,
Ian Ho

Ian,
What exactly do you mean by SQL*Server OLAP ? Is it just a 'normal' SQL*Server database which is used for an OLAP application ?
The migration workbench migrates schema objects, triggers, and stored procedures and is not concerned with the application that uses those objects.
And the same with the Oracle OLAP database. Once the data etc has been moved into the database you can then use it for whichever application you want.
If you have concerns apart from moving the actual data then please give us more details.
Regards,
Mike

General review of Transparent Data Encryption (TDE) and performance of...

I understand that the implementation of just about any database encryption solution, is going to result in a some degree of a performance hit, especially as searches are performed against the database, but none-the-less, we are thinking about implementing the Oracle TDE solution and as recommended, just isolating encryption needs to ONLY necessary columns of data - in our case, columns pertaining to private ASNWER (results) data and/or PII (Pers. Ident. Info.). This being said, is anyone else doing something similar with TDE, or does anyone have any pointers up front on what to look out for, what to expect, and how they are operating with TDE. (Just reaching out for some thoughts, insight, comments, and/or warnings)... Thank you very much. - Jason

Yes, we have many customers using it, please check my updated TDE best practices paper; it has lots of hints and tricks and things to look out for:
Available from http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html (scroll down, please).
Thanks, Peter

Transparent Data Encryption clarification

Hello All,
{color:#993300}http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/tde_faq.html#A12010
Does the database memory (SGA) contain clear-text or encrypted data?
With column-level TDE, encrypted data remains
encrypted inside the SGA, but with tablespace encryption, data is
already decrypted in the SGA.{color}
my doubt here is,
1. when a select query issued when and where the decryption takes place before the data comes to SGA?
2. Is there any tool to dump the duffer cache in SGA to find whether data is encrypted or not?
Plz do help me
Thanks in advance

AFAIK, TDE is for encrypting data on disk (so database cant be stolen), not for encryting data in the tables (may be wrong there)
dbms_obfuscation is deprecated in 10g, so used dbms_crypto instead - its much better

Get SQL Server default data path via ADO/C++?

Hi,
I am trying to get the SQL Server default data path via ADO/Visual C++.
I find the SQL statements that will do that in
http://stackoverflow.com/questions/1883071/how-do-i-find-the-data-directory-for-a-sql-server-instance/12756990#12756990
So I just concat all the statements above into a CString object strStatements, then try to open a recordset as follows:
_RecordsetPtr m_pRecordset;
m_pRecordset.CreateInstance(__uuidof(Recordset));
m_pRecordset->Open(_bstrt(strStatements), _variant_t((IDispath *)m_pConnection, true), adOpenDymanic, adLockOptimistic, 0);
m_pRecordset->MoveFirst();
The last MoveFirst statement will cause com_error, which said
“ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
It seems that there are no data in the recordset at all. What is the problem?
Thanks

Hello,
Which query statement did you used to get the database data and log file path? Can you get the result by run the query directly with SQL Server Management Studio? For example,
SELECT SUBSTRING(physical_name, 1, CHARINDEX(N'master.mdf', LOWER(physical_name)) - 1)
FROM master.sys.master_files
WHERE database_id = 1 AND file_id = 1
Regards,
Fanny Liu
If you have any feedback on our support, please click here.
Fanny Liu
TechNet Community Support

SQL Server Parallel Data Warehouse (PDW) Licensing

Hi All,
We have a customer that's interested in SQL Server Parallel Data Warehouse
(PDW). I'm told this is an appliance sold by a manufacturer like Dell or HP. But
I also see Licensing price on the EA price list.
Can they also purchase PDW under a VL Agreement?
Regards,
DSarao

Yes. Microsoft sells PDW as an appliance with a software and hardware purchase. Note that the PDW requires both the software and hardware purchase.

Does oracle 10.1 support transparent data encryption?

hi,
does oracle Release 10.1.0.3.0 support transparent data encryption?
if not, what can i use instead?
thanks

According to http://download-uk.oracle.com/docs/cd/B14117_01/network.101/b10772/asoconfg.htm ,
data encryption is supported for Oracle Net services in release 10.1.

SQL Server TDE stuck encryption state 4

I'm trying to create a robust script that runs backups, backs up current certificate, creates a new certificate, backs up new certificate and regenerates database encryption keys with the new certificate. Obviously to do all this you're talking about a pretty
complicated script! i've tried to make it as robust as possible, however when running the script the databases have gotten stuck in encryption state 4. (this has happened before which is why i'm testing this to destruction.) now before i delete and recreate
these databases is there any way to force them out of state 4? It will not allow you to turn encryption off you get the following error : Cannot disable database encryption while an encryption, decryption, or key change scan is in progress.
I'm not sure what happened to get them into this state but want to prevent it at all costs.
Please see my script. You should be able to test this easily by creating a couple db's.
Any improvements would be greatly appreciated, and this will be extremely useful to anyone in a TDE environment.
*** UPDATED ***
USE master
DECLARE @Name NVARCHAR(50) , -- Database Name
@Path NVARCHAR(100) , -- Path for backup files
@FileName NVARCHAR(256) , -- Filename for backup
@FileDate NVARCHAR(20) , -- Used for file name
@BackupSetName NVARCHAR(50) ,
@SQLScript NVARCHAR(MAX) ,
@Live AS NCHAR(3) = 'No'
-- *** MAKE SURE YOU CHECK THIS BEFORE RUNNING ***
-- specify database backup directory
SET @Path = 'E:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup\'
-- specify filename format
SET @FileDate = REPLACE(REPLACE(REPLACE(CONVERT(NVARCHAR(20), GETDATE(), 120),
IF CURSOR_STATUS('global', 'db_cursor') >= -1
DEALLOCATE db_cursor
DECLARE db_cursor CURSOR
FOR
SELECT Name
FROM sys.databases
WHERE Name NOT IN ( 'master', 'model', 'msdb', 'tempdb' )
AND is_encrypted = 1
OPEN db_cursor
FETCH NEXT FROM db_cursor INTO @Name
WHILE @@FETCH_STATUS = 0
BEGIN TRY
SET @FileName = @Path + @Name + '_' + @FileDate + '.bak'
SET @SQLScript = 'BACKUP DATABASE ' + @Name + ' TO DISK = '''
+ @FileName + ''' WITH NOFORMAT, INIT, SKIP, STATS = 10
RESTORE VERIFYONLY FROM DISK = ''' + @FileName + ''' BACKUP LOG '
+ @Name + ' TO DISK = ''' + @Path + @Name + '_log.ldf'''
PRINT '*** STEP ONE Backing up Databases ***'
PRINT @SQLScript
IF @Live = 'Yes'
EXEC (@SQLScript)
FETCH NEXT FROM db_cursor INTO @Name
END TRY
BEGIN CATCH
PRINT 'Error Completing Backups'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
CLOSE db_cursor
DEALLOCATE db_cursor
-- Get current certificate statuses
SELECT DB_NAME(database_id) AS DatabaseName ,
Name AS CertificateName ,
CASE encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc ,
create_date ,
regenerate_date ,
modify_date ,
set_date ,
opened_date ,
key_algorithm ,
key_length ,
encryptor_thumbprint ,
percent_complete ,
certificate_id ,
principal_id ,
pvt_key_encryption_type ,
pvt_key_encryption_type_desc ,
issuer_name ,
cert_serial_number ,
subject ,
expiry_date ,
start_date ,
thumbprint ,
pvt_key_last_backup_date
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint
-- TDE cannot be started while backup is running
WHILE EXISTS ( SELECT *
FROM master.dbo.sysprocesses
WHERE dbid IN ( DB_ID('*** DATABASE ***') )
AND cmd LIKE 'BACKUP%' )
BEGIN
PRINT 'Waiting for backups to complete'
WAITFOR DELAY '00:01:00'
END
--Code for backing up certificate and generating new certificate
DECLARE @CurrentCertificateName AS NVARCHAR(100) ,
@CertificateBackupFile AS NVARCHAR(256) ,
@KeyBackup AS NVARCHAR(256) ,
@KeyStore AS NVARCHAR(256) = 'E:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Key Backup\' ,
@SecurePass AS NVARCHAR(50) = '*** Password ***'
-- Get current certificate name
SELECT @CurrentCertificateName = c.name
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint
WHERE DB_NAME(e.database_id) = @Name
-- backup the current certificate
SET @CertificateBackupFile = @KeyStore + @CurrentCertificateName + '.cer'
SET @KeyBackup = @KeyStore + @CurrentCertificateName + '.pvk'
SET @SQLScript = 'BACKUP CERTIFICATE ' + @CurrentCertificateName
+ +' TO FILE = ''' + @CertificateBackupFile + ''' WITH PRIVATE KEY'
+ ' (FILE = ''' + @KeyBackup + ''',' + ' ENCRYPTION BY PASSWORD = '''
+ @SecurePass + ''')'
PRINT '*** STEP TWO Backing up current certificate: ' + @SQLScript + ' ***'
IF @Live = 'Yes'
BEGIN TRY
EXEC ( @SQLScript )
END TRY
BEGIN CATCH
PRINT 'Could not back up existing Certificate. Job Cancelled'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
-- Generate the new certificate.
DECLARE @Now AS NVARCHAR(12) = REPLACE(REPLACE(REPLACE(CONVERT(NVARCHAR(20), GETDATE(), 120),
DECLARE @NewCertificateName AS NVARCHAR(50) = 'PCI_Compliance_Certificate_'
+ @Now
-- Manually set certificate name
--SELECT @NewCertificateName = 'PCI_Compliance_Certificate_201312231546'
-- Generate a new certificate
DECLARE @NewCertificateDescription AS NVARCHAR(100) = 'PCI DSS Compliance Certificate for 2014'
SET @SQLScript = 'CREATE CERTIFICATE ' + @NewCertificateName
+ ' WITH SUBJECT = ''' + @NewCertificateDescription + ''''
PRINT '*** STEP THREE Creating New Certificate: ' + @SQLScript + ' ***'
IF @Live = 'Yes'
BEGIN TRY
EXEC ( @SQLScript
END TRY
BEGIN CATCH
PRINT 'Could not create the new Certificate. Job Cancelled'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
-- Back up the new certificate
SET @CertificateBackupFile = @KeyStore + @NewCertificateName + '.cer'
SET @KeyBackup = @KeyStore + @NewCertificateName + '.pvk'
SET @SQLScript = 'BACKUP CERTIFICATE ' + @NewCertificateName
+ +' TO FILE = ''' + @CertificateBackupFile + '''' + ' WITH PRIVATE KEY'
+ ' (FILE = ''' + @KeyBackup + ''',' + ' ENCRYPTION BY PASSWORD = '''
+ @SecurePass + ''')'
PRINT '*** STEP FOUR Backing up New Certificate: ' + @SQLScript + ' ***'
IF @Live = 'Yes'
BEGIN TRY
EXEC ( @SQLScript
END TRY
BEGIN CATCH
PRINT 'Error: Could not back up New Certificate.'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
--Encrypt database with new certificate
WHILE EXISTS ( SELECT *
FROM master.dbo.sysprocesses
WHERE dbid IN ( DB_ID('*** DATABASE ***') )
AND cmd LIKE 'BACKUP%' )
BEGIN
PRINT 'Waiting for backups to complete'
WAITFOR DELAY '00:01:00'
END
DECLARE db_cursor CURSOR
FOR
SELECT Name
FROM sys.databases
WHERE Name NOT IN ( 'master', 'model', 'msdb', 'tempdb' )
AND is_encrypted = 1
OPEN db_cursor
FETCH NEXT FROM db_cursor INTO @Name
WHILE @@FETCH_STATUS = 0
BEGIN TRY
SET @SQLScript = 'USE ' + @Name
+ ' ALTER DATABASE ENCRYPTION KEY REGENERATE WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE '
+ 'PCI_Compliance_Certificate_' + @Now
PRINT '*** STEP FIVE Encrypting Databases ***'
PRINT @SQLScript
IF @Live = 'Yes'
EXEC (@SQLScript)
FETCH NEXT FROM db_cursor INTO @Name
END TRY
BEGIN CATCH
PRINT 'Error Encrypting Databases'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
CLOSE db_cursor
DEALLOCATE db_cursor
-- Inspect the new state of the databases
SELECT DB_NAME(e.database_id) AS DatabaseName ,
e.database_id ,
e.encryption_state ,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc ,
c.name ,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint

Hello,
State 4 means (as you've noted in your script) that there is a key change in process. When a key change happens with TDE, all of the data must first be decrypted with the old keys and encrypted with the new keys which takes time. However long it takes to
decrypt and encrypt your entire database (depending on how many key changes there are in the hierarchy) is how long it will take.
There is also a very niche scenario where database corruption can cause issues with TDE while encrypting or decrypting. You could run a CHECKDB and validate this is not the case (you can also check suspect_pages at a quick glance).
Sean Gallardy | Blog |
Twitter

MS sql server 2005 and encryption

I've got a Microsoft SQL Server 2005 database server set up
with encryption forced on. I managed to get the MS 1.1 jdbc driver
from Microsoft, I then tried to configure it into Coldfusion v
7.0.2 as an Other data source. The problem I've got now is that I
get the error
"com.microsoft.sqlserver.jdbc.SQLServerException: The SQL
Server login requires an SSL connection."
I previously tried to use the SQL Server data source type but
that didn't work either.
So how do I get past this hurdle?

There is currently no SSL support for JDBC connections.
Microsoft addresses it regarding SQL Server 2005 on this mdsn
forum thread:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1071465&SiteID=1

SQL Server Transparent Data encryption

Similar Messages

Maybe you are looking for