TDE rekeying and DB access

  • Just did TDE rekeying as per Security request (certainly- test env :-))

    I mean- decrypted DB, removed old key/certificate, configured TDE with new key/certificate, encrypted DB.

    Slightly confused with DB access during encryption/decryption process- seems (from sp_lock) only Extent is locked (probably one at a time)- not whole DB as I previously thought (shame on me). That means DB is mainly accessible and only data from that particular extent is locked? Or am I wrong?

    I need to estimate possible downtime during Prod rekeying and therefore this info is pretty valuable to me. Thanks

  • as detailed here

    Transparent Data Encryption


    Restrictions

    The following operations are not allowed during initial database encryption, key change, or database decryption:

    •Dropping a file from a filegroup in the database

    •Dropping the database

    •Taking the database offline

    •Detaching a database

    •Transitioning a database or filegroup into a READ ONLY state

    The following operations are not allowed during the CREATE DATABASE ENCRYPTION KEY, ALTER DATABASE ENCRYPTION KEY, DROP DATABASE ENCRYPTION KEY, or ALTER DATABASE...SET ENCRYPTION statements.

    •Dropping a file from a filegroup in the database.

    •Dropping the database.

    •Taking the database offline.

    •Detaching a database.

    •Transitioning a database or filegroup into a READ ONLY state.

    •Using an ALTER DATABASE command.

    •Starting a database or database file backup.

    •Starting a database or database file restore.

    •Creating a snapshot.

    The following operations or conditions will prevent the CREATE DATABASE ENCRYPTION KEY, ALTER DATABASE ENCRYPTION KEY, DROP DATABASE ENCRYPTION KEY, or ALTER DATABASE...SET ENCRYPTION statements.

    •The database is read-only or has any read-only file groups.

    •An ALTER DATABASE command is executing.

    •Any data backup is running.

    •The database is in an offline or restore condition.

    •A snapshot is in progress.

    •Database maintenance tasks.

    When creating database files, instant file initialization is not available when TDE is enabled.

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • Thanks Perry- seems from external User point of view DB will be online all the time. This is good. But frankly I am still not sure how data from exclusively locked extent can be read or updated? Thanks again

  • The database is encrypted a page at a time and on a large database can take some time. The database is still available for normal access, however maintenance is disabled as specified above

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply