Implementing TDE

1. Make a duplicate of the existing database with a different name. The new database name is the
one we will use for this lab.

a) Right Click on the database AdventureWorks2019

b) Select TASKS
c) Select RESTORE
d) Select DATABASE
a) In the destination TAB change the database name to AdventureWorks2019_new
b) Select the FILES page (on left)
a) Check the box RELOCATE ALL FILES TO FOLDER
b) Change the Data File Folder to C\TEMP
c) Change the Log File Folder to C:\TEMP
d) Select the OPTIONS page on the left
e) Note: You will not have a SaleTrans secondary file like in the screen shot
a) Check Overwrite the existing database
b) Remove the check on the Tail-log Backup option
c) Check Close Existing Connections
d) Select OK
e) It should now make a duplicate of the Adventureworks2019 database called
Adventureworks2019_new. This is the database we will use.

1. Log into SSMS and create a Master Key. We must first create the master key. It must be created
in the master database, so as a precautionary measure you should begin this statement with the
USE MASTER command. Create a query as follows and execute it:
ALTER SERVICE MASTER KEY FORCE REGENERATE;
GO
USE MASTER;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD= 'putAveryStrongPasswordHere';
GO

2. Verify the Database Master Key (DMK) has been created.

SELECT name KeyName,

symmetric_key_id KeyID,
 key_length KeyLength,
algorithm_desc KeyAlgorithm
FROM sys.symmetric_keys;

3. Create a Certificate that is protected by the Master Key. The certificate’s name is “my_cert” and I
gave it a generic subject (the subject I chose is the actual name of the database we are about to
encrypt).

CREATE CERTIFICATE my_cert WITH SUBJECT= 'AdventureWorks2019_Encryption';

GO

4. Verify the certificate has been created.

SELECT name CertName,

certificate_id CertID,
pvt_key_encryption_type_desc EncryptType,
issuer_name Issuer
FROM sys.certificates
WHERE issuer_name = 'AdventureWorks2019_Encryption';
 5. Create a Database Encryption Key (DEK). Now, we must utilize our USE command to switch to
the database that we wish to encrypt. Then we create a connection or association between the
certificate that we just created and the actual database. Then we indicate the type of encryption
algorithm we are going to use. In this case it will be AES_256 encryption.
USE AdventureWorks2019_new
GO
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE my_cert;
GO

*** You will get a warning here about the importance of backing up your keys. ***

6. Verify the Database Encryption Key (DEK) has been created.

SELECT DB_NAME(database_id) DbName,
encryption_state EncryptState,
key_algorithm KeyAlgorithm,
key_length KeyLength,
encryptor_type EncryptType
FROM sys.dm_database_encryption_keys;

7. Exit out of the Database you want to encrypt (step 5). If there are any active connections the
encryption will not complete.
USE master;
GO

8. Enable Encryption - Finally, we can enable encryption on our database by using the ALTER
DATABASE command. Once the encryption is turned on, depending on the size of the database, it
may take some time to complete.
ALTER DATABASE AdventureWorks2019_new
SET ENCRYPTION ON;
GO

You can monitor the status by querying the sys.dm_database_encryption_keys DMV. We're looking for
encryption_state = 3. This may take awhile so be patient. Run the following SELECT statement until the
column reads 3 for all rows.

SELECT DB_NAME(database_id) AS 'Database', encryption_state

FROM sys.dm_database_encryption_keys;

Value Description
0 No database encryption key present, no encryption
1 Unencrypted
2 Encryption in progress
3 Encrypted
4 Key change in progress
5 Decryption in progress
6 The certificate or asymmetric key encrypting the DEK is being changed
 9. Backup Your Certificate and Private Key - It’s important to backup the certificate you created
and store it in a secure location. If the server ever goes down and you need to restore it
elsewhere, you will have to import the certificate to the server. Remember to store the
certificate in a safe and available locations (not a temporary one like this example) and
remember the password.
USE MASTER;
GO
BACKUP CERTIFICATE my_cert
TO FILE = ‘c:\temp\my_cert’
WITH PRIVATE KEY (file = ‘c:\temp\my_certKey.pvk’, ENCRYPTION BY PASSWORD = ‘access’);
GO

Above we generated a file for both the certificate and the private key, as well as providing a password
for the private key.

***** Now let’s assume we want to restore the database on a different server *****

10. *** Backup the AdventureWorks2019_new database to c:\temp. Call the backup
'c:\temp\AdventureWorks2019_new.bak'***
11. Be sure to do step 10 above (backup the database to c:\temp) because we are about to remove
encryption to simulate restoring our encrypted database to a new server. We can pretend a
hacker or a disgruntled user has got a copy of your encrypted database and wishes to read its
contents.

i. Disable encryption on the database so we can drop the keys

ALTER DATABASE AdventureWorks2019_new

SET ENCRYPTION OFF;
GO
ii. Drop the Database Encryption Key (DEK)

USE [AdventureWorks2019_new]
DROP DATABASE ENCRYPTION KEY;
GO

iii. Drop the certificate

USE MASTER;
GO
DROP CERTIFICATE my_cert;
GO

iv. Drop the Database Master Key (DMK)

USE MASTER;
GO
DROP MASTER KEY;
GO
12. Quit SSMS and start Configuration manager
13. Restart the SQL Service
14. Go back into SSMS

15. Double check the layout of the files. This is needed if the next query does not work.
USE master
GO
SELECT
DB_NAME([database_id]) [database_name]
, [file_id]
, [type_desc] [file_type]
, [name] [logical_name]
, [physical_name]
FROM sys.[master_files]
WHERE [database_id] IN (DB_ID('AdventureWorks2019_new'),
DB_ID('AdventureWorks2019_new'))
ORDER BY [type], DB_NAME([database_id]);

16. The first scenario for restoring a TDE protected database is the case where we try to do the
restore and we have none of the encryption pieces in place. We don't have the database master
key and we certainly don't have the certificate. This is why TDE is great. If you don't have these
pieces, the restore simply won't work. Let's attempt the restore
17. With the GUI you might not see the error message so you can try it in a query

USE MASTER
GO
RESTORE DATABASE AdventureWorks2019_copy FROM DISK =
'c:\temp\AdventureWorks2019_new.bak'
WITH
MOVE 'AdventureWorks2019' TO 'c:\temp\AdventureWorks2019_copy.mdf',
MOVE 'AdventureWorks2019_log' TO 'c:\temp\AdventureWorks2019_copy_log.ldf',
RECOVERY, REPLACE, STATS = 10
;
GO

18. Notice the error indicates something about not finding a server certificate. We cannot restore
this database without the certificate that was used to back it up.
19. You could even try creating a new database master key and a new certificate with the same
name and even the same subject that was used to backup the original database. Because this
new certificate is not the certificate that was used to backup the database this scenario would
still not allow you to restore the backup.
20. Now let’s try to recover the certificate but not the private key that we backed up.

CREATE CERTIFICATE TDECert FROM FILE = 'c:\temp\my_cert';

GO
21. Now try to restore the database.
USE MASTER
GO
RESTORE DATABASE AdventureWorks2019_copy FROM DISK =
'c:\temp\AdventureWorks2019_new.bak'
WITH
MOVE 'AdventureWorks2019' TO 'c:\temp\AdventureWorks2019_copy.mdf',
MOVE 'AdventureWorks2019_log' TO 'c:\temp\AdventureWorks2019_copy_log.ldf',
RECOVERY, REPLACE, STATS = 10
;
GO

We still get an error because although we have the correct certificate, we still do not have the
private key. Without the private key SQL Server cannot decrypt the database.

The error says the key appears to be corrupt. We know the key is not corrupt but that we have
not restored (created) it yet.

22. In order to perform a successful restore, we'll need the database master key in the master
database in place and we'll need to restore the certificate used to encrypt the database, but we'll
need to make sure we restore it with the private key. In checklist form:

• There's a database master key in the master database.

• The certificate used to encrypt the database is restored along with its private key.
• The database is restored.

23. Before we begin we will need to drop the certificate we created previously.

USE MASTER
GO
DROP CERTIFICATE TDECert
GO

24. Now we can do the complete sequence

ALTER SERVICE MASTER KEY FORCE REGENERATE;

GO
USE MASTER;
GO
CREATE MASTER KEY
ENCRYPTION BY PASSWORD = '2ndserver';
GO

CREATE CERTIFICATE TDECert

FROM FILE = 'c:\temp\my_cert'
WITH PRIVATE KEY
(FILE = ‘c:\temp\my_certKey.pvk ', DECRYPTION BY PASSWORD = 'access');
 GO

25. Now try and restore the database

USE MASTER
GO
RESTORE DATABASE AdventureWorks2019_copy FROM DISK =
'c:\temp\AdventureWorks2019_new.bak'
WITH
MOVE 'AdventureWorks2019' TO 'c:\temp\AdventureWorks2019_copy.mdf',
MOVE 'AdventureWorks2019_log' TO 'c:\temp\AdventureWorks2019_copy_log.ldf',
RECOVERY, REPLACE, STATS = 10
;
GO