zoukankan      html  css  js  c++  java
  • SQLServer的TDE加密

    TDE的主要作用是防止数据库备份或数据文件被偷了以后,偷数据库备份或文件的人在没有数据加密密钥的情况下是无法恢复或附加数据库的。

    USE [master];

    GO



    --查看master数据库是否被加密

    SELECT name,is_master_key_encrypted_by_server FROM
    sys.databases;



    --创建master数据库下的主数据库密钥

    CREATE MASTER KEY ENCRYPTION BY PASSWORD = N'^&*()0A';



    --查看master数据库下的密钥信息

    SELECT * FROM sys.symmetric_keys;



    --创建证书用来保护 数据库加密密钥 (DEK)

    CREATE CERTIFICATE master_server_cert WITH
    SUBJECT = N'Master Protect DEK Certificate';



    IF DB_ID('db_encryption_test') IS NOT NULL

    DROP DATABASE db_encryption_test



    --创建测试数据库

    CREATE DATABASE db_encryption_test;

    GO



    USE db_encryption_test;



    --创建由master_server_cert保护的DEK 数据库加密密钥 (对称密钥)

    CREATE DATABASE ENCRYPTION KEY

    WITH ALGORITHM = AES_128

    ENCRYPTION BY SERVER CERTIFICATE master_server_cert;

    GO

    USE master;
    BACKUP CERTIFICATE master_server_cert TO FILE = 'D:MSSQLCertificatemaster_server_cert.cer'
    WITH PRIVATE KEY (
    FILE = 'D:MSSQLCertificatemaster_server_cert.pvk' ,
    ENCRYPTION BY PASSWORD = '^&*()0A';

    --相应的,我们也备份一下数据库主密钥(master)
    USE master;
    --如果没有启用主密钥的自动解密功能
    --OPEN MASTER KEY DECRYPTION BY PASSWORD = '^&*()0A';
    BACKUP MASTER KEY TO FILE = 'D:MSSQLMasterKeymaster.cer'
    ENCRYPTION BY PASSWORD = '^&*()0A';
    GO

    --生产环境下,设置成单用户在运行加密
    ALTER DATABASE db_encryption_test SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
    GO

    --备份成功以后,开启TDE 加密
    ALTER DATABASE db_encryption_test SET ENCRYPTION ON;
    GO

    --设置多用户访问
    ALTER DATABASE db_encryption_test SET MULTI_USER WITH ROLLBACK IMMEDIATE;
    GO

    --查看db_encryption_test数据库是否被加密 encryption_state:3 TDE加密了
    SELECT DB_NAME(database_id),encryption_state FROM sys.dm_database_encryption_keys;
    /*
    发现tempdb也被加密了。MSDN解释是:如果实例中有一个数据库启用了TDE加密,那么tempdb也被加密
    */

    --接下来,找另外一台机器或者实例来测试,如果数据文件被盗走了,防止附加的测试.
    USE master;
    EXEC sp_detach_db N'db_encryption_test';
    GO


    USE master;
    --我先在他机器还原了MASTER KEY (他原机器master库无master key)
    RESTORE MASTER KEY
    FROM FILE = 'C:UsersAdministratorDesktopmaster.cer'
    DECRYPTION BY PASSWORD = '^&*()0A'
    ENCRYPTION BY PASSWORD = '^&*()0A';
    GO

    --如果没有自动加密
    OPEN MASTER KEY DECRYPTION BY PASSWORD=N'^&*()0A';
    --创建证书
    CREATE CERTIFICATE master_server_cert
    FROM FILE = 'C:UsersAdministratorDesktopmaster_server_cert.cer'
    WITH PRIVATE KEY (FILE = 'C:UsersAdministratorDesktopmaster_server_cert.pvk',
    DECRYPTION BY PASSWORD = '^&*()0A';
    GO
    --附加数据库
    CREATE DATABASE db_encryption_test
    ON PRIMARY
    (
    FILENAME=N'C:UsersAdministratorDesktopdb_encryption_test.mdf'
    )
    LOG ON
    (
    FILENAME=N'C:UsersAdministratorDesktopdb_encryption_test_log.ldf'
    )
    FOR ATTACH ;
    GO

    --测试成功

    --关闭数据库联接
    CLOSE MASTER KEY




  • 相关阅读:
    JVM 综述
    看 Netty 在 Dubbo 中如何应用
    Netty 心跳服务之 IdleStateHandler 源码分析
    Netty 高性能之道
    Netty 解码器抽象父类 ByteToMessageDecoder 源码解析
    Netty 源码剖析之 unSafe.write 方法
    Netty 出站缓冲区 ChannelOutboundBuffer 源码解析(isWritable 属性的重要性)
    Netty 源码剖析之 unSafe.read 方法
    Netty 内存回收之 noCleaner 策略
    Netty 源码阅读的思考------耗时业务到底该如何处理
  • 原文地址:https://www.cnblogs.com/glume/p/4736936.html
Copyright © 2011-2022 走看看