Post reply

TDE doubts

  • April 29, 2020 at 6:05 am

    #3747222

    Hi All,

    As a part of security compliance are in a process of implementing TDE on all of the prod servers.

    Server version is SQL 2012 SP4 Enterprise Edition.

    Followed below steps :

    -- create Database master key(DMK) in "master" database

    -- create Certificate in "master" database

    -- backup the master key and certificate

    -- In user db, we create the Database Encryption Key (DEK)

    -- Finally, turn TDE using alter statement

    ALTER DATABASE testdb SET ENCRYPTION ON;

    My question is, we implemented TDE on multiple production servers. However, on one of the prod server, when we tried to create master key (DMK),

    it says, the master already exists. The server was there even before I came into the organization and no one knows who created it nor there is any documentation.

    1. Is there a way to get the password of the existing master key? or Can we drop this master key and create a new master key but not sure what if there is any dependencies I can see a certificate which is encrypted by this master key ?

    select * from sys.symmetric_keys

    select * from sys.certificates;

     

    1

    Further more, I checked if anyone has implemented TDE on any of the databases ? There were None.

    USE master;

    GO

    SELECT

    db.name,

    db.is_encrypted,

    dm.encryptor_type,

    dm.encryption_state,

    dm.percent_complete,

    dm.key_algorithm,

    dm.key_length

    FROM

    sys.databases db

    LEFT OUTER JOIN sys.dm_database_encryption_keys dm

    ON db.database_id = dm.database_id

    where is_encrypted = 1

    GO

     

    2

    2. Is there a way to re-generate the password for existing master key ? if so, what issues or any implications ?

    3. Can we have a second master key created or per server we can have only 1 master key ?

    Regards,

    Sam

  • April 30, 2020 at 6:10 am

    #3747563

    Thanks for posting your issue and hopefully someone will answer soon.

    This is an automated bump to increase visibility of your question.

  • April 30, 2020 at 4:13 pm

    #3747737

    There is only one master key in each database, which provides the basis for all encryption objects in that database. You don't need to drop this, thought you can use ALTER MASTER KEY (https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-master-key-transact-sql?view=sql-server-2017) to change the password. you need to regenerate with this. The issues are load as other keys are reencrypted here.

     

  • May 1, 2020 at 5:37 am

    #3747923

    Thank you Steve.

     

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply