Pro encryption in SQL Server 2022 provide the highest level of protection for your data
This in-depth look at the encryption tools available in SQL Server shows you how to protect data by encrypting it at rest with Transparent Data Encryption (TDE) and in transit with Transport Level Security (TLS). You will know how to add the highest levels of protection for sensitive data using Alwa...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
New York, New York :
Apress L. P.
[2022]
|
| Edición: | [First edition] |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009703305006719 |
Tabla de Contenidos:
- Intro
- Table of Contents
- About the Author
- About the Technical Reviewer
- Acknowledgments
- Introduction
- Part I: Understanding the Landscape
- Chapter 1: Purpose of Encryption and Available Tools
- What Is the Purpose of Encryption?
- Encryption and Data Protection Regulation
- Overview of the Tools Available in SQL Server
- TDE
- Backup Encryption
- Always Encrypted
- TLS
- Hashing and Salting
- Encryption Functions
- EKM
- Recommended Approach to Encryption
- Encryption in the Cloud
- Summary
- Part II: At-Rest Encryption
- Chapter 2: Introducing Transparent Data Encryption
- What Is TDE?
- Understanding Keys and Certificates
- Database Encryption Key (DEK)
- Certificate and Associated Asymmetric Key Pair
- Database Master Key (DMK)
- Service Master Key (SMK)
- Understanding the Need for the Hierarchy
- How Secure Is TDE?
- What Are We Protected From?
- How Easy Is It to Break Down the Encryption?
- Summary
- Chapter 3: Setting Up TDE
- Creating the Keys and Certificate
- Creating the Database Master Key (DMK)
- Creating the Certificate
- Creating the Database Encryption Key (DEK)
- Encrypting the Database
- Securing the Root Keys
- Encrypting Existing Data with TDE
- Benchmarking TDE Performance on Your Server
- Monitoring for Problems
- What If You Run into Any Performance Problems During the Scan?
- What If the Encryption Scan Fails?
- Taking Backups While Encryption Is in Progress
- Summary
- Chapter 4: Managing TDE
- Migrating or Recovering a TDE-Protected Database
- Create a Database Master Key (DMK) If One Doesn't Exist
- Restore the Certificate and Private Key
- Restore the Database
- Recovering a TDE Database Without the Certificate
- Setting Up a New SQL Instance Using the Same Service Account as the Old Instance.
- Restore Your Backup of Master from the Old Instance onto the New Instance
- Reboot Your New Server: The Whole Server, Not Just SQL
- Backup Your Certificate and Private Key - and Don't Lose Them This Time
- Key Rotation
- Creating a New Certificate
- Rotating the Certificate
- Impact of TDE on Performance
- Where Do We See an Overhead?
- How to Estimate the Performance Impact for Your Server?
- TDE and Backups
- Backup Performance
- Backup Compression
- Backup Compression Issues
- TDE and High Availability
- Summary
- Chapter 5: Backup Encryption
- Setting Up Backup Encryption
- Creating a Test Database
- Create the Database Master Key (DMK)
- Creating the Certificate
- Permissions
- Working with Encrypted Backups
- Taking an Encrypted Backup
- Restoring an Encrypted Backup
- Backup Encryption Performance
- Backup Encryption and Compression
- Summary
- Part III: Column Encryption using Always Encrypted
- Chapter 6: Introducing Always Encrypted
- SQL Server 2016 vs. SQL Server 2019 and Beyond
- How Does Always Encrypted Work?
- Encryption Hierarchy
- Encryption in Practice
- Summary
- Chapter 7: Setting Up Always Encrypted
- Create Keys and Certificates
- Creating the Certificate and Column Master Key
- Creating the Column Encryption Key (CEK)
- Create an Encrypted Column
- Summary
- Chapter 8: Executing Queries Using Always Encrypted
- Performing a Basic Insert and Select
- Connecting to the Database
- Inserting Data
- Reading Data
- Looking at What Happens in the Background
- What Happens with an Insert Query
- What Happens with a Select Query
- Issuing a Query with a Predicate Against an Encrypted Column
- Indexes and Statistics on Encrypted Columns
- Working with Stored Procedures
- Querying Always Encrypted Data from Your Application
- Working with Direct Queries.
- Working with Stored Procedures
- Summary
- Chapter 9: Encrypting Existing Data with Always Encrypted
- Encrypting Data Using the Always Encrypted Wizard
- Encrypting Data Using PowerShell
- Encrypting Data Using the Import and Export Wizard
- Summary
- Chapter 10: Limitations with Always Encrypted
- SQL Server Only Ever Sees Encrypted Data
- Strong Encryption Isn't Predictable
- Deterministic vs. Randomized
- Data Types
- Miscellaneous
- Summary
- Chapter 11: Key Rotation with Always Encrypted
- CMK Rotation
- Rotating the CMK Using the SSMS GUI
- Rotating the CMK Using T-SQL
- Rotating the CMK Using PowerShell
- Rotating the CMK Using PowerShell with Role Separation
- Part 1: DBA
- Part 2: Security Administrator
- Part 3: DBA
- Rotating the CEK
- Summary
- Chapter 12: Considerations When Implementing Always Encrypted
- Choosing What Data to Encrypt
- Source Control and Release Management
- ETL
- Performance
- Client Drivers
- Summary
- Part IV: Column Encryption using Always Encrypted with Enclaves
- Chapter 13: Introducing Always Encrypted with Enclaves
- Attestation
- Executing Queries That Use the Enclave
- The Attestation Process
- The Query Execution Process
- Summary
- Chapter 14: Setting Up Always Encrypted with Enclaves
- Setting Up Your VMs
- Setting Up Networking
- Install and Configure Host Guardian Service (HGS)
- Install SQL Server and Configure as a Guarded Host
- Summary
- Chapter 15: In-Place Encryption with Always Encrypted Enclaves
- Setting Up Our Test Database and Keys
- In-Place Encryption and Decryption of Data
- Performance of In-Place Encryption
- CEK Rotation
- Summary
- Chapter 16: Rich Querying with Always Encrypted Enclaves
- Setting Up Your Database and Data
- Rich Querying
- Indexes on Columns with Randomized Encryption
- Reading from an Index.
- Updating an Index When Data Is Modified
- Index Rebuilds
- Database Recovery After Failure or Shutdown
- Joins
- Summary
- Chapter 17: Setting Up TPM Attestation
- Prerequisites for Your SQL Server to Support TPM Attestation
- Artifacts That Are Required by Attestation
- TPM Endorsement Key Certificate
- TPM Baseline
- Code Integrity Policy
- Installing and Configuring HGS
- Configuring the SQL Server
- Install the Attestation Client Components
- Making Sure VBS Is Configured Correctly
- Configure the Attestation URL
- Configuring a Code Integrity Policy
- Collect and Register Attestation Artifacts
- Check SQL Server Can Attest Successfully
- Configure the Enclave Type in SQL Server
- Summary
- Part V: Completing the Picture
- Chapter 18: Encryption In Transit Using Transport Layer Security
- How TLS Works
- Obtaining a Certificate to Use for TLS
- Setting Up TLS on Your SQL Server
- Performance
- Summary
- Chapter 19: Hashing and Salting of Passwords
- Hashing
- Salting
- Using the HASHBYTES Function
- Storing Passwords Using HASHBYTES and a Salt Value
- Summary
- Chapter 20: Extensible Key Management (EKM)
- Creating the Required Objects in Azure
- Creating the Resource Group
- Creating the Azure Active Directory App Registration
- Creating the Key Vault
- Setting Up TDE to Use Azure Key Vault
- Creating the Key for TDE
- Setting Up the SQL Server
- Working with Always Encrypted and EKM
- Creating a CMK in Azure Key Vault
- Encrypting Columns and Working with Data
- Working with Azure Key Vault from Your Application
- Summary
- Chapter 21: Other Methods of Column Encryption
- Encryption Using a Symmetric Key
- Your Key Hierarchy
- Working with Automated Key Management
- Creating the Keys
- Encrypting and Decrypting Data
- Using an Authenticator
- Where the DMK Is Not Protected by the SMK.
- Where the Symmetric Key Is Just Protected by a Password
- Working with and Indexing Encrypted Columns
- Migrating or Restoring a Database with Column Encryption
- Temporary Keys
- Encryption by Passphrase
- Protection of Key Passwords Being Sent to SQL Server
- Summary
- Appendix A: Glossary of Terms
- A
- Advanced Encryption Standard
- AES
- Always Encrypted
- Always Encrypted Wizard
- Asymmetric Encryption
- Asymmetric Key
- At-Rest Data
- Attestation
- Authenticator
- Automated Key Management
- Azure Key Vault
- B
- Backup Encryption
- C
- CA
- CEK
- Certificate
- Certification Authority
- Certificate Store
- CMK
- Code Integrity Policy
- Column Encryption Key
- Column Master Key
- D
- Data Encryption Standard
- Database Encryption Key
- Database Master Key
- DEK
- DES
- Deterministic Encryption
- Diffie Hellman
- DMA Protection
- DMK
- DPAPI
- E
- EKM
- Enclave
- Encryption Scan
- Extensible Key Management
- H
- Hardware Security Module
- Hash
- HGS
- Host Guardian Service
- Host Health Certificate
- Host Key
- HSM
- I
- In-Transit Encryption
- K
- Key Rotation
- P
- Parameterization for Always Encrypted
- Private Key
- Public Key
- R
- Randomized Encryption
- S
- Salt
- Secure Boot
- Secure Hashing Algorithm
- Service Master Key
- SHA
- SMK
- Symmetric Encryption
- Symmetric Key
- T
- TDE
- TDS
- Temporary Key
- Thumbprint
- TLS
- TPM
- TPM Baseline
- TPM Endorsement Key
- Transport Layer Security
- Transparent Data Encryption
- Trusted Platform Module
- V
- VBS
- Virtualization Based Security
- W
- Windows Data Protection API
- Appendix B: Encryption in the Cloud
- Azure VM
- Azure SQL Database or Managed Instance
- TDE
- Backup Encryption
- Always Encrypted with Secure Enclaves
- TLS
- AWS VM (EC2)
- EKM
- Always Encrypted with Secure Enclaves.
- AWS RDS.
