April 2, 2012 at 6:57 am
Hi DBAs
I am planning to Implement TDE on cluster nodes..Please throw some valuable suggestions and Tips...
I appreciate your valuable suggestions.
Thank you.
April 2, 2012 at 7:37 am
Well ...
I found some points here ...
1. Since both the nodes share one Disk, we need to create one cert and one key for both the nodes and save with proper folder security with Admin visibility.
Will be working on this ... I will keep posting.
April 4, 2012 at 7:52 am
I would recommend storing the certificate backup in source control, not in a folder on the server.
April 4, 2012 at 8:37 am
Thanks Robert. Can you please explain little bit more why we need to save it in a Source control?
April 4, 2012 at 8:44 am
MY thinking ...TDE should not implement on all databases, I am thinking TDE will be more useful for One DB (say HR Database) on a server.
Found some more flaws here on my research:
1.Even though you encrypt only one Db (User Database) on server, tempDb will also get encrypted.
2.Once TDE is enabled compression rate will drop down drastically. We can say, we can not compress the Database
I won't suggest to implement TDE on large databases.
Reason: The process of encrypting and decrypting will take hours (No estimated time when it is going to complete)
April 4, 2012 at 9:11 am
@bi (4/4/2012)
Thanks Robert. Can you please explain little bit more why we need to save it in a Source control?
At the very least ensure you apply appropriate ACLs to the folder where you store the certificate, ideally don't store it on the server the reason for this should be obvious 😉
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
April 4, 2012 at 9:24 am
Robert Davis (4/4/2012)
I would recommend storing the certificate backup in source control, not in a folder on the server.
Definitely not on the server, but I might also make sure it's offsite somewhere, perhaps in a rotation of key tapes, or media that's stored in a safe deposit box or similar location.
April 4, 2012 at 9:42 am
@bi (4/4/2012)
Thanks Robert. Can you please explain little bit more why we need to save it in a Source control?
It needs to be stored separated from the database backups. Not on the same server, not on the same tapes, etc. It needs to be kept someplace secure but accessible to your SQL admins. Where is that going to be? Source control is the first thing I think of though there are definitely other options. I like source control because it is often backed up as well.
April 4, 2012 at 11:06 am
Agreed Guys. Thanks for the response.
How about storing the key and cert in a folder with unique security to that folder.
What do you guys think ?
April 4, 2012 at 11:20 am
@bi (4/4/2012)
How about storing the key and cert in a folder with unique security to that folder.What do you guys think ?
As I said at least use appropriate NTFS ACLs to protect the cert backup while it's on the server. As the other guys have advised move it somewhere more secure long term
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
April 4, 2012 at 11:27 am
And implement auditing. If the key is moved, you want to know.
April 4, 2012 at 11:56 am
Thanks Perry.
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply