When data is read from disk SQL Server decrypts the entire block making the data visible to the database engine. By design, there is no need or ability to select which tables are encrypted - all pages that make up the database are encrypted. TDE encrypts the database data files and database logs in SQL Server Enterprise. The EKM Provider architecture opened the door for third-party key management vendors to extend encryption to include proper encryption key management. EKM Provider software performs encryption and key management tasks as an extension to the SQL Server database.
This model adds an additional layer of security and separates the management of keys and data.
Using the EKM provider architecture, administrators can protect DEK keys by using an asymmetric key stored outside of SQL Server in an external key manager. Microsoft realized that storing the database encryption key locally represented a significant security risk to “encrypted’ data. TDE encrypts the storage of an entire database by using a symmetric key called the Data Encryption Key (DEK) which is stored in the database boot record for availability during recovery. While a quick Google search will yield many results for “SQL Server TDE”, EKM has not been given the attention it deserves. In the security world, this is referred to as storing encryption keys “locally”. When people think about encrypting data, they often only think about the part where the data is obfuscated, failing to consider how they are securing the key that unlocks their encrypted data – essentially leaving the keys to their house underneath the welcome mat. “How is this possible?” you might ask yourself. Unfortunately, however, it is way too easy for businesses who need to protect private information to think they are encrypting their data, but really leaving it vulnerable to a breach. Fortunately, Microsoft introduced TDE and EKM many years ago in SQL Server 2008 Enterprise, which gives organizations the ability to protect data at rest without modifying their business applications. There are many reasons to encrypt private data. In this article, we will discuss encryption key management and how TDE and EKM come together to protect private data and meet security best practices. What do Mick Jagger/Keith Richards and Transparent Data Encryption (TDE)/ Extensible Key Management (EKM) have in common? On their own, they are just OK, but when together, are unstoppable.
0 kommentar(er)
