search
HomeDatabaseMysql TutorialChapter1SecuringYourServerandNetwork(11):使用透明数据库加密

原文出处:http://blog.csdn.net/dba_huangzj/article/details/38398813,专题目录:http://blog.csdn.net/dba_huangzj/article/details/37906349 未经作者同意,任何人不得以原创形式发布,也不得已用于商业用途,本人不负责任何法律责任。 前一篇:http://b

原文出处:http://blog.csdn.net/dba_huangzj/article/details/38398813,专题目录:http://blog.csdn.net/dba_huangzj/article/details/37906349

未经作者同意,任何人不得以“原创”形式发布,也不得已用于商业用途,本人不负责任何法律责任。

前一篇:http://blog.csdn.net/dba_huangzj/article/details/38368737

前言: 

如果没有对数据库文件(MDF/LDF等)做权限控制,攻击者可以把这些文件复制走,然后附加到自己机器上进行分析。第一层保护就是对SQL Server文件所在的NTFS文件系统进行权限管控。如果希望进一步保护数据库,可以使用透明数据库加密(Transparent Database Encryption,TDE),这个功能可以保护对应数据库的所有文件,不管有多少个文件。因为文件已经加密,即使这些文件被复制走,如果没有数据库主密钥,也一样不能使用。同时,这种加密不影响用户对数据库的使用,开发人员不需要对此做额外的工作。

需要注意,只有开发版、且一般和数据中心版才支持TDE。 

实现:

1. 创建服务器加密主密钥:

USE master; 
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '强密码';

2. 马上备份主密钥,并放到安全的地方,如果丢失了主密钥,将导致自己都无法使用:

BACKUP MASTER KEY TO FILE = '\\path\SQL1_master.key' ENCRYPTION BY 
PASSWORD = '强密码';

其中密码必须复合Windows 安全策略要求,并且SQL Server服务帐号要有对对应目录的写权限。

3. 在Master库中创建服务器证书:

CREATE CERTIFICATE TDECert WITH SUBJECT = 'TDE Certificate'; 

4. 备份证书:

BACKUP CERTIFICATE TDECert TO FILE = '\\path\SQL1_TDECert.cer' 
  WITH PRIVATE KEY ( 
    FILE  = '\\path\SQL1_TDECert.pvk', 
    ENCRYPTION BY PASSWORD = '另外一个强密码' 
);

5. 创建对应数据库的数据库加密密钥:

USE 目标数据库; 
GO 
CREATE DATABASE ENCRYPTION KEY 
WITH ALGORITHM = AES_128 
ENCRYPTION BY SERVER CERTIFICATE TDECert; --TDECert为证书名

6. 启用数据库加密:

ALTER DATABASE 目标数据库 SET ENCRYPTION ON;

原理:

TDE自动加密磁盘上的数据和日志文件,不需要对数据库额外修改,并且可以加密所有数据库或日志备份。实现方式也很容易。对于加密算法,通常可以使用AES_128/192/256 或者Triple_des_3key。其中TRIPLE-DES强度更高。但是可能影响性能。

对于TDE的性能分析,可以访问这篇文章:http://www.databasejournal.com/features/mssql/article.php/3815501/Performance-Testing-SQL-2008146s-Transparent-Data-Encryption.htm(Performance Testing SQL 2008's Transparent Data Encryption,SQL Server 2008 TDE/透明数据库加密性能测试)。

如果需要还原加密后的数据库文件到另外一台服务器,需要首先还原证书到目标服务器:

USE master; 
CREATE CERTIFICATE TDECert FROM FILE = '\\path\SQL1_TDECert.cer' 
  WITH PRIVATE KEY ( 
    FILE  = '\\path\SQL1_TDECert.pvk', 
    DECRYPTION BY PASSWORD = '密码' 
);
原文出处:http://blog.csdn.net/dba_huangzj/article/details/38398813

然后就能开始还原数据库或日志文件。

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
How does MySQL's licensing compare to other database systems?How does MySQL's licensing compare to other database systems?Apr 25, 2025 am 12:26 AM

MySQL uses a GPL license. 1) The GPL license allows the free use, modification and distribution of MySQL, but the modified distribution must comply with GPL. 2) Commercial licenses can avoid public modifications and are suitable for commercial applications that require confidentiality.

When would you choose InnoDB over MyISAM, and vice versa?When would you choose InnoDB over MyISAM, and vice versa?Apr 25, 2025 am 12:22 AM

The situations when choosing InnoDB instead of MyISAM include: 1) transaction support, 2) high concurrency environment, 3) high data consistency; conversely, the situation when choosing MyISAM includes: 1) mainly read operations, 2) no transaction support is required. InnoDB is suitable for applications that require high data consistency and transaction processing, such as e-commerce platforms, while MyISAM is suitable for read-intensive and transaction-free applications such as blog systems.

Explain the purpose of foreign keys in MySQL.Explain the purpose of foreign keys in MySQL.Apr 25, 2025 am 12:17 AM

In MySQL, the function of foreign keys is to establish the relationship between tables and ensure the consistency and integrity of the data. Foreign keys maintain the effectiveness of data through reference integrity checks and cascading operations. Pay attention to performance optimization and avoid common errors when using them.

What are the different types of indexes in MySQL?What are the different types of indexes in MySQL?Apr 25, 2025 am 12:12 AM

There are four main index types in MySQL: B-Tree index, hash index, full-text index and spatial index. 1.B-Tree index is suitable for range query, sorting and grouping, and is suitable for creation on the name column of the employees table. 2. Hash index is suitable for equivalent queries and is suitable for creation on the id column of the hash_table table of the MEMORY storage engine. 3. Full text index is used for text search, suitable for creation on the content column of the articles table. 4. Spatial index is used for geospatial query, suitable for creation on geom columns of locations table.

How do you create an index in MySQL?How do you create an index in MySQL?Apr 25, 2025 am 12:06 AM

TocreateanindexinMySQL,usetheCREATEINDEXstatement.1)Forasinglecolumn,use"CREATEINDEXidx_lastnameONemployees(lastname);"2)Foracompositeindex,use"CREATEINDEXidx_nameONemployees(lastname,firstname);"3)Forauniqueindex,use"CREATEU

How does MySQL differ from SQLite?How does MySQL differ from SQLite?Apr 24, 2025 am 12:12 AM

The main difference between MySQL and SQLite is the design concept and usage scenarios: 1. MySQL is suitable for large applications and enterprise-level solutions, supporting high performance and high concurrency; 2. SQLite is suitable for mobile applications and desktop software, lightweight and easy to embed.

What are indexes in MySQL, and how do they improve performance?What are indexes in MySQL, and how do they improve performance?Apr 24, 2025 am 12:09 AM

Indexes in MySQL are an ordered structure of one or more columns in a database table, used to speed up data retrieval. 1) Indexes improve query speed by reducing the amount of scanned data. 2) B-Tree index uses a balanced tree structure, which is suitable for range query and sorting. 3) Use CREATEINDEX statements to create indexes, such as CREATEINDEXidx_customer_idONorders(customer_id). 4) Composite indexes can optimize multi-column queries, such as CREATEINDEXidx_customer_orderONorders(customer_id,order_date). 5) Use EXPLAIN to analyze query plans and avoid

Explain how to use transactions in MySQL to ensure data consistency.Explain how to use transactions in MySQL to ensure data consistency.Apr 24, 2025 am 12:09 AM

Using transactions in MySQL ensures data consistency. 1) Start the transaction through STARTTRANSACTION, and then execute SQL operations and submit it with COMMIT or ROLLBACK. 2) Use SAVEPOINT to set a save point to allow partial rollback. 3) Performance optimization suggestions include shortening transaction time, avoiding large-scale queries and using isolation levels reasonably.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

SublimeText3 Linux new version

SublimeText3 Linux new version

SublimeText3 Linux latest version

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)