Comments on: SQL 2008 one click database encryption gives a false sense of security http://itknowledgeexchange.techtarget.com/sql-server/sql-2008-one-click-database-encryption-gives-a-false-sense-of-security/ Mon, 23 Nov 2009 18:28:56 +0000 http://wordpress.org/?v=2.6.2 By: Mrdenny http://itknowledgeexchange.techtarget.com/sql-server/sql-2008-one-click-database-encryption-gives-a-false-sense-of-security/#comment-81 Mrdenny Mon, 18 Aug 2008 14:42:08 +0000 http://itknowledgeexchange.techtarget.com/sql-server/sql-2008-one-click-database-encryption-gives-a-false-sense-of-security/#comment-81 Brent, Keeping in mind that I haven't had time to really beat on TDE that much. But if your SAN admin took a snap of the LUN that the encrypted database was on, they probably also have a snap of the master database, and all the various keys which are stored in the master database, and the folder that the master database is sitting in. They can probably just attach that database to another machine, fire it up with the old master database and have the system decrypt the database as all the keys are there. (Again I haven't played with it to try this yet.) If as a DBA you can't trust your SAN admin, you've got bigger problems than the SAN admin swiping the database. Denny Brent,
Keeping in mind that I haven’t had time to really beat on TDE that much. But if your SAN admin took a snap of the LUN that the encrypted database was on, they probably also have a snap of the master database, and all the various keys which are stored in the master database, and the folder that the master database is sitting in. They can probably just attach that database to another machine, fire it up with the old master database and have the system decrypt the database as all the keys are there.

(Again I haven’t played with it to try this yet.)

If as a DBA you can’t trust your SAN admin, you’ve got bigger problems than the SAN admin swiping the database.

Denny

]]> By: BrentOzar http://itknowledgeexchange.techtarget.com/sql-server/sql-2008-one-click-database-encryption-gives-a-false-sense-of-security/#comment-80 BrentOzar Mon, 11 Aug 2008 13:42:37 +0000 http://itknowledgeexchange.techtarget.com/sql-server/sql-2008-one-click-database-encryption-gives-a-false-sense-of-security/#comment-80 Hi, Denny. The other reason TDE is useful is in SAN environments. The SAN administrator can take a snapshot of an array at any time without stopping the application. Granted, the snapshot will be dirty, but it's usually recoverable, and even if it isn't, they can retake the snapshot until they get a decent copy. Then, they can mount that snapshot on another server and they've got a working copy of the company's databases, bypassing security. TDE is great for that. SAN-to-SAN replication makes this an even bigger issue: if you're doing SAN-based replication to your DR site, and especially if your DR site is a colo, someone else can take the snapshot at your DR site and pull the copied drives. Hi, Denny. The other reason TDE is useful is in SAN environments. The SAN administrator can take a snapshot of an array at any time without stopping the application. Granted, the snapshot will be dirty, but it’s usually recoverable, and even if it isn’t, they can retake the snapshot until they get a decent copy. Then, they can mount that snapshot on another server and they’ve got a working copy of the company’s databases, bypassing security. TDE is great for that.

SAN-to-SAN replication makes this an even bigger issue: if you’re doing SAN-based replication to your DR site, and especially if your DR site is a colo, someone else can take the snapshot at your DR site and pull the copied drives.

]]>