Fortanix Data Security Manager with Microsoft SQL Server TDE Integration - Backup & Restore

1.0 Introduction

This article describes the step-by-step procedure to backup and restore the Microsoft SQL server Transparent Data Encryption (TDE) enabled database, which is protected by Fortanix-Data-Security-Manager (DSM).

To perform the restoration, the target database MSSQL Server must point to the same asymmetric key, which was previously created on the source database MSSQL Server.

When TDE is enabled on a database, its backup files are also encrypted. The following error appears on the screen when the user tries to restore a TDE-enabled database backup on a different server:

NOTE

Ensure that you have performed the steps from the Data Security Manager with Microsoft SQL TDE Integration – Before You Begin.

2.0 Backing Up the Data from Source

This section lists the steps for backing up your database from the source server. This backup contains the data in encrypted format, including the Data Encryption Key (DEK) protected by the Fortanix master key.

In the given example, we will use the database name as employee and we are backing it up from the Object Explorer or T-SQL command.

1. Right-click the desired database (Company).

2. Select Tasks and click the Back Up option from the context menu.

   

   1. Select the backup path.

      

   2. Backup completed successfully.

      

3. Move the backup database to the target server.

4. Log in to the secondary target server.

3.0 Configuring TDE on Target Server

3.1 Enabling SQL Features

Run the following commands if Extensible Key Management (EKM) is not supported or enabled in the SQL server edition:

sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO

3.2 Creating Cryptographic Provider

Run the following commands to use the correct location of the EKM DLL:

CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = 'C:\Program Files\Fortanix\KmsClient\FortanixKmsEkmProvider.dll' ;
GO

Where,

• EKM_Prov refers to the name of the provider defined by the user.

3.3 Creating Credentials

This section describes the steps to create the credentials to generate the master key on the Fortanix DSM using the SQL admin.

1. Run the following commands to create a credential in your SQL Server Studio that will be used by the system administrators:

   CREATE CREDENTIAL sa_ekm_tde_cred
   WITH IDENTITY = 'Identity1',
   SECRET = '<DSM API KEY>' 
   FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ;
   GO

   Where,

   • <DSM_API_KEY> refers to the Fortanix DSM API key as copied in Fortanix Data Security Manager with Microsoft SQL Server TDE Integration - Before You Begin.

   

2. Add the credential to a highly privileged user, such as your own domain login, in the format [DOMAIN\login]:

   ALTER LOGIN EC2AMAZ-1RDPAEU\Administrator
   ADD CREDENTIAL "sa_ekm_tde_cred";
   GO
   

   Run the following commands in case there is no domain, and the machine is part of a workgroup or standalone:

   ALTER LOGIN LOCALHOST\Administrator
   ADD CREDENTIAL "sa_ekm_tde_cred";
   GO

   

   If you are not an administrator and hence unable to alter the login, open the Object Explorer and map the credentials as shown in the following image:

   

3.4 Creating an Asymmetric Key

The MSSQL admin has the credentials associated with creating the Master Encryption Key (MEK) on the Fortanix DSM. This section describes the steps to create the asymmetric key from the existing key in the Fortanix DSM.

Run the following commands to create an asymmetric key stored inside the EKM provider:

USE master
CREATE ASYMMETRIC KEY ekm_login_key FROM PROVIDER EKM_Prov
WITH PROVIDER_KEY_NAME='SQL_Server_Key',
CREATION_DISPOSITION = OPEN_EXISTING;
GO

Where,

• ekm_login_key is the key name on the SQL server created on the source server.

• SQL_Server_Key is the key name on Fortanix DSM created on the source server.

3.5 Creating Credentials (DB Engine)

Run the following commands to create a credential that will be used by the database engine:

USE master;
CREATE CREDENTIAL ekm_tde_cred
WITH IDENTITY = 'Identity2',
SECRET = '<DSM API KEY>'
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov;

Where,

• ekm_tde_cred refers to the name of the credentials.

• Identity2refers to the identity name. The value can be any name.

• EKM_Prov refers to the Fortanix EKM Provider.

• SECRET refers to the Fortanix DSM API key as copied in Fortanix Data Security Manager with Microsoft SQL Server TDE Integration - Before You Begin.

3.6 Creating Login (DB Engine)

Run the following commands to add a login used by TDE and add the new credential to the login:

CREATE LOGIN EKM_Login
FROM ASYMMETRIC KEY ekm_login_key ;
GO
ALTER LOGIN EKM_Login
ADD CREDENTIAL ekm_tde_cred ;
GO

Where,

• ekm_login_key refers to the master key alias on the MSSQL Server database. This key is already created in Section 3.4: Creating an Asymmetric Key.

• EKM_Login refers to the login name.

• ekm_tde_cred refers to the key created on the Fortanix DSM. This credential is already created in Section 3.3: Creating Credential (DB Engine).

4.0 Restoring the Encrypted Database

This section describes the steps for restoring the encrypted backup on the target server. When the backup is encrypted with TDE at the time of restoration, the database tries to unlock the DEK using MEK. The SQL server starts the restoration process only if the respective master key is available on the database.