tde数据库加密
In this article, we will review how to enable Transparent Data Encryption (TDE) on a database in SQL Server and move the Transparent Data Encryption (TDE) enabled databases to a different server by restoring the backup.
在本文中,我们将回顾如何在SQL Server中的数据库上启用透明数据加密(TDE),以及如何通过还原备份将启用了透明数据加密(TDE)的数据库移至其他服务器。
Transparent Data encryption (TDE) encrypts data at rest i.e. data and log files. Encryption is done at page level on the database file. When Transparent Data encryption (TDE) is enabled on a database, it reads the page from the data files to buffer pool, encrypts the page and writes back to disk.
透明数据加密(TDE)对静止数据进行加密,即数据和日志文件。 加密是在数据库文件的页面级别完成的。 在数据库上启用透明数据加密(TDE)时,它将从数据文件中读取页面到缓冲池,对页面进行加密并写回到磁盘。
在数据库上启用透明数据加密(TDE) (Enabling Transparent Data Encryption (TDE) on database)
Enabling TDE on a database involves following steps.
在数据库上启用TDE涉及以下步骤。
- Creating a master key 创建一个主密钥
- Creating a certificate in the master database 在主数据库中创建证书
- Creating database encryption key (DEK) 创建数据库加密密钥(DEK)
- Enable encryption on the database 在数据库上启用加密
Let us go through these steps one by one.
让我们一步一步地完成这些步骤。
创建一个主密钥 (Creating a master key)
We need to create a master key in the master database. creating a master key is performed at the master database level. Execute the following T-SQL script which creates a master key in the master database. Replace it with stong password of yours. This database master key is encrypted by service master key at instance level which is created at the time of SQL Server instance setup.
我们需要在master数据库中创建一个主密钥。 在主数据库级别执行创建主密钥。 执行以下T-SQL脚本,该脚本在master数据库中创建一个主密钥。 将其替换为您的stong密码。 该数据库主密钥由服务主密钥在实例级别进行加密,该实例级别是在SQL Server实例安装时创建的。
USE master
GO
CREATE MASTER KEY ENCRYPTION
BY PASSWORD = 'SQLshackDemo@*';
GO
在主数据库中创建证书 (Creating a certificate in the master database )
The second step in enabling Transparent Data Encryption (TDE) is creating a certificate in the master database. Once we create a master key, we must create a certificate which is