Fortanix Data Security Manager with Microsoft SQL Server TDE Integration - Backup & Restore

Prev Next

1.0 Introduction

This article describes the step-by-step procedure to backup and restore the Microsoft SQL server Transparent Data Encryption (TDE) enabled database, which is protected by Fortanix-Data-Security-Manager (DSM).

To perform the restoration, the target database MSSQL Server must point to the same asymmetric key, which was previously created on the source database MSSQL Server.

When TDE is enabled on a database, its backup files are also encrypted. The following error appears on the screen when the user tries to restore a TDE-enabled database backup on a different server:

ERROR_DIALOG_BOX.png

Figure 1: Error dialog box

NOTE

Ensure that you have performed the steps from the Data Security Manager with Microsoft SQL TDE Integration – Before You Begin.

2.0 Backing Up the Data from Source

This section lists the steps for backing up your database from the source server. This backup contains the data in encrypted format, including the Data Encryption Key (DEK) protected by the Fortanix master key.

In the given example, we will use the database name as employee and we are backing it up from the Object Explorer or T-SQL command.

  1. Right-click the desired database (Company).

  2. Select Tasks and click the Back Up option from the context menu.

    TAKE_BACKUP_OF_SOURCE_SERVER.png

    Figure 2: Take backup of source server

    1. Select the backup path.

      SELECT_THE_BACKUP_PATH.png

      Figure 3: Select the backup path

    2. Backup completed successfully.

      BACKUP_COMPLETED.png

      Figure 4: Backup completed

  3. Move the backup database to the target server.

  4. Log in to the secondary target server.

3.0 Configuring TDE on Target Server

3.1 Enabling SQL Features

Run the following commands if Extensible Key Management (EKM) is not supported or enabled in the SQL server edition:

sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO
RUN_COMMANDS_FOR_ERROR_SCENARIO.png

Figure 5: Run commands for error scenario

3.2 Creating Cryptographic Provider

Run the following commands to use the correct location of the EKM DLL:

CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = 'C:\Program Files\Fortanix\KmsClient\FortanixKmsEkmProvider.dll' ;
GO

Where,

  • EKM_Prov refers to the name of the provider defined by the user.

CREATE_CRYPTOGRAPHIC_PROVIDER.png

Figure 6: Create a cryptographic provider

3.3 Creating Credentials

This section describes the steps to create the credentials to generate the master key on the Fortanix DSM using the SQL admin.

  1. Run the following commands to create a credential in your SQL Server Studio that will be used by the system administrators:

    CREATE CREDENTIAL sa_ekm_tde_cred
    WITH IDENTITY = 'Identity1',
    SECRET = '<DSM API KEY>' 
    FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ;
    GO

    Where,

    Figure 7: Create credentials

  2. Add the credential to a highly privileged user, such as your own domain login, in the format [DOMAIN\login]:

    ALTER LOGIN EC2AMAZ-1RDPAEU\Administrator
    ADD CREDENTIAL "sa_ekm_tde_cred";
    GO
    

    Run the following commands in case there is no domain, and the machine is part of a workgroup or standalone:

    ALTER LOGIN LOCALHOST\Administrator
    ADD CREDENTIAL "sa_ekm_tde_cred";
    GO
    COMMAND_FOR_NO_DOMAIN.png

    Figure 8: Command for no domain

    If you are not an administrator and hence unable to alter the login, open the Object Explorer and map the credentials as shown in the following image:

    MAP_CREDENTIALS.png

    Figure 9: Map credentials

3.4 Creating an Asymmetric Key

The MSSQL admin has the credentials associated with creating the Master Encryption Key (MEK) on the Fortanix DSM. This section describes the steps to create the asymmetric key from the existing key in the Fortanix DSM.

Run the following commands to create an asymmetric key stored inside the EKM provider:

USE master
CREATE ASYMMETRIC KEY ekm_login_key FROM PROVIDER EKM_Prov
WITH PROVIDER_KEY_NAME='SQL_Server_Key',
CREATION_DISPOSITION = OPEN_EXISTING;
GO

Where,

  • ekm_login_key is the key name on the SQL server created on the source server.

  • SQL_Server_Key is the key name on Fortanix DSM created on the source server.

CREATING_ASYMMETRIC_KEYS.png

Figure 10: Creating an asymmetric key

3.5 Creating Credentials (DB Engine)

Run the following commands to create a credential that will be used by the database engine:

USE master;
CREATE CREDENTIAL ekm_tde_cred
WITH IDENTITY = 'Identity2',
SECRET = '<DSM API KEY>'
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov;

Where,

CREATE_CREDENTIAL_FOR_DATABASE_ENGINE.png

Figure 11: Create credential for database engine

3.6 Creating Login (DB Engine)

Run the following commands to add a login used by TDE and add the new credential to the login:

CREATE LOGIN EKM_Login
FROM ASYMMETRIC KEY ekm_login_key ;
GO
ALTER LOGIN EKM_Login
ADD CREDENTIAL ekm_tde_cred ;
GO

Where,

ADD_NEW_CREDENTIAL_TO_LOGIN.png

Figure 12: Add new credential to login

4.0 Restoring the Encrypted Database

This section describes the steps for restoring the encrypted backup on the target server. When the backup is encrypted with TDE at the time of restoration, the database tries to unlock the DEK using MEK. The SQL server starts the restoration process only if the respective master key is available on the database.

RESTORING_DATABASE.png

Figure 13: Restoring database