原文出处:http://blog.csdn.net/dba_huangzj/article/details/38398813,专题目录:http://blog.csdn.net/dba_huangzj/article/details/37906349 未经作者同意,任何人不得以原创形式发布,也不得已用于商业用途,本人不负责任何法律责任。 前一篇:http://b
原文出处:http://blog.csdn.net/dba_huangzj/article/details/38398813,专题目录:http://blog.csdn.net/dba_huangzj/article/details/37906349未经作者同意,任何人不得以“原创”形式发布,也不得已用于商业用途,本人不负责任何法律责任。
前一篇:http://blog.csdn.net/dba_huangzj/article/details/38368737
前言:
如果没有对数据库文件(MDF/LDF等)做权限控制,攻击者可以把这些文件复制走,然后附加到自己机器上进行分析。第一层保护就是对SQL Server文件所在的NTFS文件系统进行权限管控。如果希望进一步保护数据库,可以使用透明数据库加密(Transparent Database Encryption,TDE),这个功能可以保护对应数据库的所有文件,不管有多少个文件。因为文件已经加密,即使这些文件被复制走,如果没有数据库主密钥,也一样不能使用。同时,这种加密不影响用户对数据库的使用,开发人员不需要对此做额外的工作。
需要注意,只有开发版、且一般和数据中心版才支持TDE。
实现:
1. 创建服务器加密主密钥:
USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = '强密码';
2. 马上备份主密钥,并放到安全的地方,如果丢失了主密钥,将导致自己都无法使用:
BACKUP MASTER KEY TO FILE = '\\path\SQL1_master.key' ENCRYPTION BY PASSWORD = '强密码';
其中密码必须复合Windows 安全策略要求,并且SQL Server服务帐号要有对对应目录的写权限。
3. 在Master库中创建服务器证书:
CREATE CERTIFICATE TDECert WITH SUBJECT = 'TDE Certificate';
4. 备份证书:
BACKUP CERTIFICATE TDECert TO FILE = '\\path\SQL1_TDECert.cer' WITH PRIVATE KEY ( FILE = '\\path\SQL1_TDECert.pvk', ENCRYPTION BY PASSWORD = '另外一个强密码' );
5. 创建对应数据库的数据库加密密钥:
USE 目标数据库; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE TDECert; --TDECert为证书名
6. 启用数据库加密:
ALTER DATABASE 目标数据库 SET ENCRYPTION ON;
原理:
TDE自动加密磁盘上的数据和日志文件,不需要对数据库额外修改,并且可以加密所有数据库或日志备份。实现方式也很容易。对于加密算法,通常可以使用AES_128/192/256 或者Triple_des_3key。其中TRIPLE-DES强度更高。但是可能影响性能。
对于TDE的性能分析,可以访问这篇文章:http://www.databasejournal.com/features/mssql/article.php/3815501/Performance-Testing-SQL-2008146s-Transparent-Data-Encryption.htm(Performance Testing SQL 2008's Transparent Data Encryption,SQL Server 2008 TDE/透明数据库加密性能测试)。
如果需要还原加密后的数据库文件到另外一台服务器,需要首先还原证书到目标服务器:
USE master; CREATE CERTIFICATE TDECert FROM FILE = '\\path\SQL1_TDECert.cer' WITH PRIVATE KEY ( FILE = '\\path\SQL1_TDECert.pvk', DECRYPTION BY PASSWORD = '密码' );原文出处:http://blog.csdn.net/dba_huangzj/article/details/38398813
然后就能开始还原数据库或日志文件。

This article explores optimizing MySQL memory usage in Docker. It discusses monitoring techniques (Docker stats, Performance Schema, external tools) and configuration strategies. These include Docker memory limits, swapping, and cgroups, alongside

This article addresses MySQL's "unable to open shared library" error. The issue stems from MySQL's inability to locate necessary shared libraries (.so/.dll files). Solutions involve verifying library installation via the system's package m

The article discusses using MySQL's ALTER TABLE statement to modify tables, including adding/dropping columns, renaming tables/columns, and changing column data types.

This article compares installing MySQL on Linux directly versus using Podman containers, with/without phpMyAdmin. It details installation steps for each method, emphasizing Podman's advantages in isolation, portability, and reproducibility, but also

This article provides a comprehensive overview of SQLite, a self-contained, serverless relational database. It details SQLite's advantages (simplicity, portability, ease of use) and disadvantages (concurrency limitations, scalability challenges). C

This guide demonstrates installing and managing multiple MySQL versions on macOS using Homebrew. It emphasizes using Homebrew to isolate installations, preventing conflicts. The article details installation, starting/stopping services, and best pra

Article discusses configuring SSL/TLS encryption for MySQL, including certificate generation and verification. Main issue is using self-signed certificates' security implications.[Character count: 159]

Article discusses popular MySQL GUI tools like MySQL Workbench and phpMyAdmin, comparing their features and suitability for beginners and advanced users.[159 characters]


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

SublimeText3 Chinese version
Chinese version, very easy to use

SublimeText3 Mac version
God-level code editing software (SublimeText3)

MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

Dreamweaver CS6
Visual web development tools

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
