SQLSERVER2012透明加密（TDE ）问题-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

SQLSERVER2012透明加密（TDE ）问题

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 07, 2016 pm 03:45 PM

encryption transparent question

最近需要用到加密功能，找到了TDE，生成证书才发现安装的SQL版本不是企业版，目前似乎只有SQL2008以上的企业版才支持，可以升级吗，试了下自动升级，OK 提示成功，再安装依然提示版本不对select @@version 才发现版本没有变。重装吧，找到控制面板卸载2012

最近需要用到加密功能，找到了TDE，生成证书才发现安装的SQL版本不是企业版，目前似乎只有SQL2008以上的企业版才支持，可以升级吗，试了下自动升级，OK 提示成功，再安装依然提示版本不对select @@version 才发现版本没有变。

重装吧，找到控制面板卸载2012 ，奇怪竟然卸载不了了。我把sql组建都卸载了可以数据库依然能用，怪哉，是升级的原因？

重做系统吧

等待中........

系统做好先安装SQL2012 企业版

OK 这下可以生成证书了，加密也顺利成功，下面的是加密过程

<span>USE</span><span> master;
</span><span>GO</span>
<span>--</span><span>查看master数据库是否被加密</span><span>
--</span><span>SELECT name,is_master_key_encrypted_by_server FROM sys.databases; --1表示加密</span><span>
--</span><span>每一个数据库只能有一个数据库主密钥</span><span>
--</span><span>删除旧的密钥证书</span>
<span>drop</span><span> CERTIFICATE MyServerCert
</span><span>Drop</span> master <span>Key</span> 
<span>GO</span>
<span>--</span><span>在master数据库中创建一个master key</span>
<span>CREATE</span> MASTER <span>KEY</span> ENCRYPTION <span>BY</span> PASSWORD <span>=</span> <span>'</span><span>P@ssw0rd</span><span>'</span><span>;
</span><span>--</span><span>查看master数据库下的密钥信息</span><span>
--</span><span>SELECT * FROM sys.symmetric_keys</span><span>
--</span><span>创建证书用来保护 数据库加密密钥 (DEK)</span>
<span>CREATE</span> CERTIFICATE MyServerCert <span>WITH</span> SUBJECT <span>=</span> <span>'</span><span>My DEK Certificate</span><span>'</span><span>;

</span><span>--</span><span>IF DB_ID('TDEDemo') IS NOT NULL</span><span>
--</span><span> DROP DATABASE TDEDemo</span>
<span>go</span>
<span>USE</span><span> demo1
</span><span>GO</span> 
<span>--</span><span>创建数据库加密key，使用MyServerCert这个证书加密</span><span>
--</span><span>Drop DATABASE ENCRYPTION KEY</span>
<span>CREATE</span> <span>DATABASE</span> ENCRYPTION <span>KEY</span>
<span>WITH</span> ALGORITHM <span>=</span><span> AES_256
ENCRYPTION </span><span>BY</span><span> SERVER CERTIFICATE MyServerCert
</span><span>go</span>
<span>--</span><span>执行上语句以后出现：</span><span>
/*</span><span>
Warning: The certificate used for encrypting the database encryption key has not been backed up. 
You should immediately back up the certificate and the private key associated with the certificate. 
If the certificate ever becomes unavailable or if you must restore or attach the database on another server, 
you must have backups of both the certificate and the private key or you will not be able to open the database.
</span><span>*/</span>
<span>/*</span><span>
警告: 用于对数据库加密密钥进行加密的证书尚未备份。应当立即备份该证书以及与该证书关联的私钥。
如果该证书不可用，或者您必须在另一台服务器上还原或附加数据库，则必须对该证书和私钥均进行备份，否则将无法打开该数据库。
</span><span>*/</span>

<span>--</span><span>提示你，立刻备份证书;这里备份证书,不比制定加密私钥的对称密钥了.因为他的密钥是通过master数据库的主数据库密钥加密了.</span><span>
--</span><span>相应的，我们备份一下数据库主密钥(master)</span>

<span>USE</span><span> master;
</span><span>GO</span>
<span>--</span><span>如果没有启用主密钥的自动解密功能</span><span>
--</span><span>OPEN MASTER KEY DECRYPTION BY PASSWORD ='P@ssw0rd';</span>
<span>BACKUP</span> MASTER <span>KEY</span> <span>TO</span> <span>FILE</span><span>=</span><span>'</span><span>D:\Cers\master_key</span><span>'</span> ENCRYPTION <span>BY</span> PASSWORD<span>=</span>N<span>'</span><span>P@ssw0rd</span><span>'</span><span>--</span><span>备份主数据库密钥DMK</span>
<span>BACKUP</span> CERTIFICATE MyServerCert <span>TO</span> <span>FILE</span> <span>=</span> <span>'</span><span>D:\Cers\master_cer</span><span>'</span> <span>--</span><span>备份数据库证书</span>
    <span>WITH</span> PRIVATE <span>KEY</span><span> ( 
    </span><span>FILE</span> <span>=</span> <span>'</span><span>D:\Cers\master_cert.pvk</span><span>'</span> , <span>--</span><span>自动生成pvk</span>
    ENCRYPTION <span>BY</span> PASSWORD <span>=</span> <span>'</span><span>P@ssw0rd</span><span>'</span><span> );
</span><span>GO</span> 

<span>--</span><span>生产环境下，设置成单用户在运行加密</span><span>
--</span><span>ALTER DATABASE dbname SET SINGLE_USER WITH ROLLBACK IMMEDIATE;</span>
<span>USE</span><span> master
</span><span>GO</span>
<span>BACKUP</span> <span>DATABASE</span> demo1 <span>TO</span> <span>DISK</span><span>=</span>N<span>'</span><span>D:\demo1.bak</span><span>'</span> 

<span>/*</span><span>
经测试 OFF ON 有时会提示失败
消息 33122，级别 16，状态 1，第 1 行
此命令要求数据库 'TDEDemo' 上有数据库加密扫描。但是，自上次挂起日志备份的加密扫描以来，数据库已经更改。请提取一个日志备份，然后重试该命令。
消息 5069，级别 16，状态 1，第 1 行
ALTER DATABASE 语句失败。
</span><span>*/</span>
<span>--</span><span>查看数据库是否被加密  encryption_state:3 TDE加密了</span>
<span>SELECT</span> <span>DB_NAME</span>(database_id) <span>as</span> dbname,encryption_state <span>FROM</span><span> sys.dm_database_encryption_keys;

</span><span>--</span><span>备份成功以后，开启TDE 加密 </span>
<span>ALTER</span> <span>DATABASE</span> demo1 <span>SET</span> ENCRYPTION <span>ON</span>
<span>--</span><span>关闭TDE 加密</span>
<span>ALTER</span> <span>DATABASE</span> demo1 <span>SET</span> ENCRYPTION <span>OFF</span><span>;

</span><span>--</span><span>设置多用户访问</span><span>
--</span><span>ALTER DATABASE dbname SET MULTI_USER WITH ROLLBACK IMMEDIATE;</span>
<span>GO</span>

Copy after login

奇怪的是我多次开启TDE ON OFF 后过一阵子会出现下列错误，出现该错误后无法开启或关闭TDE，重建数据库才好，不知道是什么原因

<span>消息 <span>33122</span>，级别 <span>16</span>，状态 <span>2</span>，第 <span>1</span> 行
此命令要求数据库 'demo1' 上有数据库加密扫描。但是，自上次挂起日志备份的加密扫描以来，数据库已经更改。请提取一个日志备份，然后重试该命令。
消息 <span>5069</span>，级别 <span>16</span>，状态 <span>1</span>，第 <span>1</span> 行
ALTER DATABASE 语句失败。</span>

Copy after login

加密以后是还原的问题，如果服务器出现问题还原到其他机器是经常用到的，经测试发现还原到非企业版是无法正常使用的，也就是必须是企业版才能支持被TDE保护的数据库（不知道理解的对不对），以下是还原代码

<span>USE</span><span> master;
</span><span>go</span>
<span>--</span><span>查看master数据库是否被加密</span><span>
--</span><span>SELECT name,is_master_key_encrypted_by_server FROM sys.databases; --1表示加密</span><span>
--</span><span>GO</span><span>
--</span><span>如果存在删除master数据库下的主数据库密钥</span><span>
--</span><span>DROP MASTER KEY;</span><span>
/*</span><span>*
--网上有说用该方法恢复主密钥的 但经测试该方法 无法正常的恢复主密钥 不知道是否我的版本问题 测试版本SQL2012 企业版
RESTORE MASTER KEY 
FROM FILE = 'D:\Cers\master_key' 
DECRYPTION BY PASSWORD = 'P@ssw0rd' 
ENCRYPTION BY PASSWORD = 'P@ssw0rd';
*</span><span>*/</span>
<span>CREATE</span> MASTER <span>KEY</span> ENCRYPTION <span>BY</span> PASSWORD <span>=</span> <span>'</span><span>P@ssw0rd</span><span>'</span>;<span>--</span><span>创建主密钥 可以和要恢复的不同 </span>
<span>GO</span>
<span>--</span><span>创建证书</span><span>
--</span><span>drop CERTIFICATE MyServerCert</span>
<span>CREATE</span><span> CERTIFICATE MyServerCert 
    </span><span>FROM</span> <span>FILE</span> <span>=</span> <span>'</span><span>D:\Cers\master_cer</span><span>'</span> 
    <span>WITH</span> PRIVATE <span>KEY</span> (<span>FILE</span> <span>=</span> <span>'</span><span>D:\Cers\master_cert.pvk</span><span>'</span><span>, 
    DECRYPTION </span><span>BY</span> PASSWORD <span>=</span> <span>'</span><span>P@ssw0rd</span><span>'</span>);<span>--</span><span>和要恢复的密钥相同PWD 其他文件要保持路径一致</span>
<span>GO</span> 

<span>--</span><span>-数据库还原操作</span><span>
--</span><span>如果数据库逻辑文件名无法确定可以使用下面的语句进行查看那</span><span>
--</span><span>restore filelistonly from DISK=N'D:\Cers\Demo1.bak'</span><span>
--</span><span>如果物理路径不一致可以使用move语句进行修改</span>
<span>RESTORE</span> <span>DATABASE</span><span> demo
</span><span>FROM</span> <span>DISK</span><span>=</span>N<span>'</span><span>D:\Cers\Demo1.bak</span><span>'</span>
<span>with</span> move <span>'</span><span>demo1</span><span>'</span>     <span>to</span> <span>'</span><span>d:\data\demo.mdf</span><span>'</span><span>
    ,move </span><span>'</span><span>demo1_log</span><span>'</span> <span>to</span> <span>'</span><span>d:\data\demo.ldf</span><span>'</span>
<span>GO</span>

Copy after login

还原到商业版提示如下

SQLSERVER2012透明加密（TDE ）问题

有知道解决办法的，欢迎留言感激不尽

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Repo: How To Revive Teammates

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hello Kitty Island Adventure: How To Get Giant Seeds

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

3 weeks ago By DDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7319

Java Tutorial

1625

CakePHP Tutorial

1349

Laravel Tutorial

1261

PHP Tutorial

1209

Related knowledge

How to solve the problem of a line on the taskbar transparency in Win11? Jan 29, 2024 pm 12:12 PM

Many Win11 users will set their taskbar to be transparent when running the system, but many users will see a black line appear on the taskbar after setting it up. So what is going on? Users can use third-party software to set it up. Let this website carefully introduce to users the solution to the problem of a transparent line on the win11 taskbar. Solution to the problem of a transparent line on the win11 taskbar. Method 1: 1. According to user feedback, you can right-click translucenttb and open settings. 2. Then set the margin of the icon option to 1 to solve the problem. 2. Then select the system default theme and change it to solve the problem.

Does Win10 Home Edition support folder encryption? Jan 09, 2024 am 08:58 AM

File encryption aims to implement professional-level encryption of data to more effectively ensure data security! Only by mastering the correct encryption key can the decryption operation be performed, ensuring the security of information assets. However, the file encryption function of Win10 Home Edition does not yet have this feature. Can Win10 Home Edition encrypt folders? Answer: Win10 Home Edition cannot encrypt folders. Tutorial on encrypting files in Windows system 1. Right-click on the file or folder you want to encrypt (or press and hold for a while), and then select the "Properties" function. 2. In the new expanded interface, look for the "Advanced" option. After clicking to enter, remember to check the "Encrypt content to protect data" option located below. 3. After the setting is completed, click "OK" to

How to set up encryption of photo album on Apple mobile phone Mar 02, 2024 pm 05:31 PM

In Apple mobile phones, users can encrypt photo albums according to their own needs. Some users don't know how to set it up. You can add the pictures that need to be encrypted to the memo, and then lock the memo. Next, the editor will introduce the method of setting up the encryption of mobile photo albums for users. Interested users, come and take a look! Apple mobile phone tutorial How to set up iPhone photo album encryption A: After adding the pictures that need to be encrypted to the memo, go to lock the memo for detailed introduction: 1. Enter the photo album, select the picture that needs to be encrypted, and then click [Add to] below. 2. Select [Add to Notes]. 3. Enter the memo, find the memo you just created, enter it, and click the [Send] icon in the upper right corner. 4. Click [Lock Device] below

How to solve the problem that jQuery cannot obtain the form element value Feb 19, 2024 pm 02:01 PM

To solve the problem that jQuery.val() cannot be used, specific code examples are required. For front-end developers, using jQuery is one of the common operations. Among them, using the .val() method to get or set the value of a form element is a very common operation. However, in some specific cases, the problem of not being able to use the .val() method may arise. This article will introduce some common situations and solutions, and provide specific code examples. Problem Description When using jQuery to develop front-end pages, sometimes you will encounter

How to set a password for folder encryption without compression Feb 20, 2024 pm 03:27 PM

Folder encryption is a common data protection method that encrypts the contents of a folder so that only those who have the decryption password can access the files. When encrypting a folder, there are some common ways to set a password without compressing the file. First, we can use the encryption function that comes with the operating system to set a folder password. For Windows users, you can set it up by following the following steps: Select the folder to be encrypted, right-click the folder, and select "Properties"

Complete guide to win11 file encryption Jan 09, 2024 pm 02:50 PM

Some friends want to protect their files, but don’t know how to encrypt win11 documents. In fact, we can directly use folder encryption or use third-party software to encrypt files. Detailed tutorial on win11 document encryption: 1. First find the file you want to encrypt, right-click to select it, and open "Properties" 2. Then click "Advanced" in the properties column 3. Select "Encrypt content to protect data" in Advanced and click " OK" 4. Then click "OK" to save. 5. Finally, select the desired encryption mode and "OK" to save the document to encrypt the document.

What are the questions in the Rulong 8 Wine Master exam? Feb 02, 2024 am 10:18 AM

What are the questions involved in the Yulong 8 Wine Master exam? What is the corresponding answer? How to pass the exam quickly? There are many questions that need to be answered in the Master of Wine Examination activities, and we can refer to the answers to solve them. These questions all involve knowledge of wine. If you need a reference, let’s take a look at the detailed analysis of the answers to the Yakuza 8 Wine Master exam questions! Detailed explanation of answers to questions in the Rulong 8 Wine Master exam 1. Questions about "wine". This is a distilled liquor produced by a distillery established by the royal family. It is brewed from the sugar of sugarcane grown in large quantities in Hawaii. What is the name of this wine? Answer: Rum 2. Question about "wine". The picture shows a drink made from dry ginseng and dry vermouth. It is characterized by the addition of olives and is known as "cockney"

What happens if there is a problem with the sound card driver? Mar 02, 2024 am 10:49 AM

The sound card driver is a system program in the computer that controls and directs the sound card. It can help us play sound. Therefore, if there is a problem with the sound card driver, the most intuitive situation is that in terms of sound, there will be no sound or the sound will fluctuate and freeze abnormally. What will happen if there is a problem with the sound card driver: 1. Sound error 1. The sound card driver serves the sound, so the most intuitive problem is the sound problem. 2. Whether there is no sound from the computer, or the sound is stuck, delayed, noisy, or the volume tone is abnormal, it may be related to the sound card driver. 3. So when we encounter similar problems, we can try reinstalling or updating the sound card driver. 2. Exclamation mark in Device Manager 1. If there is no problem with the sound, it means that the sound card driver is normal in most cases. 2. But I

See all articles