SQL Server automatic encryption
- I downloaded SQL 2008 June CTP to see the new "automatic" encryption of databases. I opened a DB file in Notepad and can still see data. Is the automatic encryption not in this CTP, or does it have to be turned on somehow? This is one of the more exciting features for me.
Answers
Hi, thank you for your interest. This is indeed slated for a later CTP. Regarding the re-attach, the detached database is still encrypted. To use this on a new server, you would need to migrate (backup and restore) the certificate protecting the data to your new server as well. Otherwise, the reattach will fail. This is not handled by SQL Server Manager; this is a user controlled process.
Please let me know if you would like further info or have any more questions.
Thanks,
Sung
All Replies
- Where have you read about this? The Microsoft SQL Server 2008 Product Overview (http://download.microsoft.com/download/a/c/d/acd8e043-d69b-4f09-bc9e-4168b65aaa71/SQL2008_ProductOverview.doc) does not mention such a feature. I does however mention support for transparent encryption, which is scheduled for a later CTP.
Yes, it is the "transparent" encryption, which to me is "automatic" since when you tell it to encrypt, it automatically happens without any need for app changes or other changes. You say it is scheduled for a future CTP. That is what I needed to know.
Do you know any more about this feature, or where I can find information about it. For instance, is the encryption based somehow on the service or machine, where if the database is moved to another machine it could not be successfully re-attached unless it was unencrypted by someone knowing the password on the original machine first, or by the SQL Server Manager.
Thanks!
Hi, thank you for your interest. This is indeed slated for a later CTP. Regarding the re-attach, the detached database is still encrypted. To use this on a new server, you would need to migrate (backup and restore) the certificate protecting the data to your new server as well. Otherwise, the reattach will fail. This is not handled by SQL Server Manager; this is a user controlled process.
Please let me know if you would like further info or have any more questions.
Thanks,
Sung
Will the Express version have the same encryption features? If not, what will be missing? We would like to choose SQL 2008 Express to be part of a mobile solution, and having encryption features would make it a slam dunk. Thanks
Hi Rodney,
Thanks for your interest. We are only considering the transparent encryption feature for Enterprise Edition at this time and no plans have been announced to support any other SKU.
The encryption features introduced in SQL Server 2005 will continue to be availble on all SKU's.
Thanks,
Sung
Hi Sung,
I am interested in how SQL Server is handling the Key Management part(Encryption/Decryption/Signing). I appreciate if you provide some document or link to document which explains theoritical/functionality part of SQL Server 2008 key management.
Looking for some response.
Regards
Umesh Bansal
Hi Umesh,
SQL Server 2008 will be introducing a new feature called "Extensible Key Management" (EKM) which allows for third party cryptographic providers and key stores to be used alongside the encryption and key management shipped as part of the server. Does your question relate to the EKM feature or general SQL Server key management?
For general SQL Server key management documentation, please refer to (NOTE: this is unchanged from SQL Server 2005):
http://msdn2.microsoft.com/en-us/library/ms189586.aspx
There is a also a TechNet presentation available:
Hope this helps,
Sung
- Hello Sung,
Its very dissapointing to hear that the transparent encryption feature is currently only being considered for the Enterprise Edition. We are currently in the process of developing an application using Sql Express that will be deployed remotely and were looking forward to being able to use the transparent encryption feature without the need for any 3rd party products.
A feature like transparent encryption would greatly improve the securability of remote databases. While i see the need for transparent encryption in all versions of Sql Server, i would have thought that a feature such as this would have been most beneficial on remote deployments where it is most difficult to secure a database.
Is there any chance that this feature will be reconsidered for any other versions of Sql Server 2008 prior to its expected release in late Feb 08?
Regards,
Adam. - I would agree that is it quite frustrating that I am hearing that TDE will only be available in Enterprise Edition. Third party apps, for which TDE would be the only way to achieve encryption (since application source is probably not available), generally are used in smaller shops who probably cannot afford the license for Enterprise Edition. If an application requires the other features of Enterprise Edition, then I would also have to ask the question of why they are using transparent encryption at the database level, as I would think this would cause a considerable level of encryption/decryption overhead, most likely reducing performance (I could be wrong with this assumption, it's just my initial reaction). I could perhaps see the table level TDE for some larger apps.
Generally speaking, it seems Enterprise Edition has been reserved for those features which only large applications with high performance or availability requirements such as Partitioning, certain Indexing features, large-number-node clustering, etc. are needed. TDE is definitely value-added, meaning (despite Ads2667's argument) I could see its exclusion from Express, but think at least the Workgroup and/or Standard edition would be a good place for it.
I know my shop would benefit from this feature. It would probably cause us to move from 2005 to 2008, but we have no need for the other value-added features of Enterprise Edition, and would not see the move to 2008 necessary if it required the cost of an Enterprise Edition license.
Just my two cents. In the end *I* don't really care, as having to creatively force 2005's column encryption into an abstraction layer for our 3rd party apps just requires more of my time (but not enough of it to offset an Enterprise license
) In the end, it is Microsoft's decision whether or not they feel this is an Enterprise feature requiring the extra return that license brings. I just hope someone did the math properly.
