We have recently implemented Transparent Data Encryption in SQL Server 2008 for local databases on our developers laptops to keep them protected in the case a laptop is stolen or lost. This works fine.
我们最近在SQL Server 2008中为我们的开发人员笔记本电脑上的本地数据库实施了透明数据加密,以便在笔记本电脑被盗或丢失的情况下保护它们。这很好用。
Now we are trying to figure out a way to have the certificate expire everyday, forcing an automated process (a script at logon maybe) to go out to a network path and grab a new certificate with an expiration for a day later. This would ensure that if something unforeseen happened, the data would not be usable the next day.
现在,我们正在尝试找出一种让证书每天到期的方法,强制执行自动化流程(可能是登录时的脚本),然后转到网络路径并获取新证书,并在一天之后到期。这将确保如果发生意外情况,第二天数据将无法使用。
I also looked into using a Cryptographic provider but there doesn't appear to be any "providers" out there. Maybe I'm wrong.
我也考虑过使用加密提供程序,但似乎没有任何“提供者”。也许我错了。
I am open to suggestions. If there is a better way please let me know. Thanks!
我愿意接受建议。如果有更好的方法请告诉我。谢谢!
5 个解决方案
#1
3
Short answer: No
简答:不
Long answer: Once a message (piece of data) is encrypted, that same key will decrypt the same encrypted message, regardless of what time the decryption algorithm is applied. If the key is changed every day, the data must be decrypted with the old key and re-encrypted with the new. If this process doesn't occur (i.e. someone stops the piece of code that performs the re encryption from running), the old key will still work. Even if you do create a cryptographic provider to check the date, someone else can create a new provider to perform the decryption without first checking the date.
答案很长:一旦消息(数据片段)被加密,相同的密钥将解密相同的加密消息,无论解密算法应用的时间。如果每天更改密钥,则必须使用旧密钥解密数据并使用新密钥重新加密。如果没有发生此过程(即有人停止执行重新加密的代码片段),则旧密钥仍然有效。即使您确实创建了加密提供程序来检查日期,其他人也可以创建新的提供程序来执行解密,而无需先检查日期。
#2
1
T address the question rather than the motivation. If you set up a Microsoft CA with a derived template (Set to expire for a day) and also allow autoenrollment on that certificate template. You could then set your SQL machine to be part of a OU within the Directory that uses autoenrolment (Technet will give you resources on this requires the use of goup policy). That way when the certificate expires the machine will automagically request a new one.
解决问题而不是动机。如果您使用派生模板设置Microsoft CA(设置为一天到期),并允许在该证书模板上自动注册。然后,您可以将SQL计算机设置为使用自动注册的目录中的OU的一部分(Technet将为您提供有关这方面的资源,需要使用goup策略)。这样,当证书到期时,机器将自动请求新的证书。
Mark
#3
1
Not true! There are options available for SQL Server 2008 encryption. Check out the database encryption solutions here at TownsendSecurity.com. Townsend's Alliance AES Encryption is a NIST-certified solution that would put you into compliance with the regulations around health care, credit cards, and banking. Also see the white paper on Alliance AES Encryption.
不对!有可用于SQL Server 2008加密的选项。在TownsendSecurity.com上查看数据库加密解决方案。 Townsend的Alliance AES Encryption是经过NIST认证的解决方案,可让您遵守有关医疗保健,信用卡和银行业务的法规。另请参阅Alliance AES Encryption的白皮书。
Businesses with sensitive data in database applications want to encrypt the data in order to secure it from loss. Protecting sensitive data increases customer trust and loyalty, reduces legal liability, and helps meet regulatory requirements for data security. Examples of databases that might contain sensitive information are Oracle Database, IBM DB2, Microsoft SQL Server, MySQL, and Microsoft Access. Regardless of the disk or folder encryption technology that might be used, the actual data should be encrypted to prevent loss
数据库应用程序中具有敏感数据的企业希望加密数据以防止数据丢失。保护敏感数据可提高客户信任度和忠诚度,减少法律责任,并有助于满足数据安全的法规要求。可能包含敏感信息的数据库示例包括Oracle数据库,IBM DB2,Microsoft SQL Server,MySQL和Microsoft Access。无论可能使用的磁盘或文件夹加密技术如何,都应对实际数据进行加密以防止丢失
Full disclosure: I'm an intern at Townsend Security.
完全披露:我是Townsend Security的实习生。
#4
0
Without additional detail I fail to understand how your TDE setup will protect data in case it is lost or stolen.
如果没有其他细节,我无法理解您的TDE设置如何在数据丢失或被盗时保护数据。
If you are not using full disk encryption (via Bitlocker, Truecrypt, etc) then I as an attacker in physical possession of your hardware can easily reset the local admin password, boot up the laptop and access the SQL Server instance with the local admin credentials. At that point I am a sysadmin on the database server and am able to extract any data I want or to turn off TDE.
如果您没有使用全盘加密(通过Bitlocker,Truecrypt等),那么我作为物理拥有您的硬件的攻击者可以轻松重置本地管理员密码,启动笔记本电脑并使用本地管理员凭据访问SQL Server实例。那时我是数据库服务器上的系统管理员,能够提取我想要的任何数据或关闭TDE。
In addition since all of the encryption keys and certificates are stored locally it is relatively easy for an attacker in physical possession of the device to gain access to them. TDE is only meaningful for data protection when you physically separate the Database Encryption Key protectors (stored in the master database) from the encrypted database.
此外,由于所有加密密钥和证书都存储在本地,因此物理拥有设备的攻击者可以相对容易地访问它们。当您将数据库加密密钥保护程序(存储在主数据库中)与加密数据库物理分离时,TDE仅对数据保护有意义。
If you are using full disk encryption than the usage of TDE is not providing any additional deterrent to an attacker and is only adversely affecting system performance of your developers laptops.
如果您使用的是全磁盘加密,则TDE的使用不会对攻击者提供任何额外的威慑,并且只会对您的开发人员笔记本电脑的系统性能产生负面影响。
#5
0
You're right - what you want is a cryptographic provider, and you're right that there's none out there yet.
你是对的 - 你想要的是一个加密提供者,你是对的,那里还没有。
If you're going to the PASS Summit in November, talk to JC Cannon from Microsoft. He's doing a session on compliance, and he's the head of the SQL Server Compliance group. He's tied into the vendors that are currently working on building cryptographic providers, and he may be able to talk to you about vendor names. Right now they haven't come out publicly to announce who's doing it yet.
如果你去11月参加PASS峰会,请与微软的JC Cannon交谈。他正在开展合规会议,他是SQL Server合规性小组的负责人。他与目前正在建立加密提供商的供应商联系在一起,他或许可以与您讨论供应商名称。现在他们还没有公开宣布谁在做这件事。
#1
3
Short answer: No
简答:不
Long answer: Once a message (piece of data) is encrypted, that same key will decrypt the same encrypted message, regardless of what time the decryption algorithm is applied. If the key is changed every day, the data must be decrypted with the old key and re-encrypted with the new. If this process doesn't occur (i.e. someone stops the piece of code that performs the re encryption from running), the old key will still work. Even if you do create a cryptographic provider to check the date, someone else can create a new provider to perform the decryption without first checking the date.
答案很长:一旦消息(数据片段)被加密,相同的密钥将解密相同的加密消息,无论解密算法应用的时间。如果每天更改密钥,则必须使用旧密钥解密数据并使用新密钥重新加密。如果没有发生此过程(即有人停止执行重新加密的代码片段),则旧密钥仍然有效。即使您确实创建了加密提供程序来检查日期,其他人也可以创建新的提供程序来执行解密,而无需先检查日期。
#2
1
T address the question rather than the motivation. If you set up a Microsoft CA with a derived template (Set to expire for a day) and also allow autoenrollment on that certificate template. You could then set your SQL machine to be part of a OU within the Directory that uses autoenrolment (Technet will give you resources on this requires the use of goup policy). That way when the certificate expires the machine will automagically request a new one.
解决问题而不是动机。如果您使用派生模板设置Microsoft CA(设置为一天到期),并允许在该证书模板上自动注册。然后,您可以将SQL计算机设置为使用自动注册的目录中的OU的一部分(Technet将为您提供有关这方面的资源,需要使用goup策略)。这样,当证书到期时,机器将自动请求新的证书。
Mark
#3
1
Not true! There are options available for SQL Server 2008 encryption. Check out the database encryption solutions here at TownsendSecurity.com. Townsend's Alliance AES Encryption is a NIST-certified solution that would put you into compliance with the regulations around health care, credit cards, and banking. Also see the white paper on Alliance AES Encryption.
不对!有可用于SQL Server 2008加密的选项。在TownsendSecurity.com上查看数据库加密解决方案。 Townsend的Alliance AES Encryption是经过NIST认证的解决方案,可让您遵守有关医疗保健,信用卡和银行业务的法规。另请参阅Alliance AES Encryption的白皮书。
Businesses with sensitive data in database applications want to encrypt the data in order to secure it from loss. Protecting sensitive data increases customer trust and loyalty, reduces legal liability, and helps meet regulatory requirements for data security. Examples of databases that might contain sensitive information are Oracle Database, IBM DB2, Microsoft SQL Server, MySQL, and Microsoft Access. Regardless of the disk or folder encryption technology that might be used, the actual data should be encrypted to prevent loss
数据库应用程序中具有敏感数据的企业希望加密数据以防止数据丢失。保护敏感数据可提高客户信任度和忠诚度,减少法律责任,并有助于满足数据安全的法规要求。可能包含敏感信息的数据库示例包括Oracle数据库,IBM DB2,Microsoft SQL Server,MySQL和Microsoft Access。无论可能使用的磁盘或文件夹加密技术如何,都应对实际数据进行加密以防止丢失
Full disclosure: I'm an intern at Townsend Security.
完全披露:我是Townsend Security的实习生。
#4
0
Without additional detail I fail to understand how your TDE setup will protect data in case it is lost or stolen.
如果没有其他细节,我无法理解您的TDE设置如何在数据丢失或被盗时保护数据。
If you are not using full disk encryption (via Bitlocker, Truecrypt, etc) then I as an attacker in physical possession of your hardware can easily reset the local admin password, boot up the laptop and access the SQL Server instance with the local admin credentials. At that point I am a sysadmin on the database server and am able to extract any data I want or to turn off TDE.
如果您没有使用全盘加密(通过Bitlocker,Truecrypt等),那么我作为物理拥有您的硬件的攻击者可以轻松重置本地管理员密码,启动笔记本电脑并使用本地管理员凭据访问SQL Server实例。那时我是数据库服务器上的系统管理员,能够提取我想要的任何数据或关闭TDE。
In addition since all of the encryption keys and certificates are stored locally it is relatively easy for an attacker in physical possession of the device to gain access to them. TDE is only meaningful for data protection when you physically separate the Database Encryption Key protectors (stored in the master database) from the encrypted database.
此外,由于所有加密密钥和证书都存储在本地,因此物理拥有设备的攻击者可以相对容易地访问它们。当您将数据库加密密钥保护程序(存储在主数据库中)与加密数据库物理分离时,TDE仅对数据保护有意义。
If you are using full disk encryption than the usage of TDE is not providing any additional deterrent to an attacker and is only adversely affecting system performance of your developers laptops.
如果您使用的是全磁盘加密,则TDE的使用不会对攻击者提供任何额外的威慑,并且只会对您的开发人员笔记本电脑的系统性能产生负面影响。
#5
0
You're right - what you want is a cryptographic provider, and you're right that there's none out there yet.
你是对的 - 你想要的是一个加密提供者,你是对的,那里还没有。
If you're going to the PASS Summit in November, talk to JC Cannon from Microsoft. He's doing a session on compliance, and he's the head of the SQL Server Compliance group. He's tied into the vendors that are currently working on building cryptographic providers, and he may be able to talk to you about vendor names. Right now they haven't come out publicly to announce who's doing it yet.
如果你去11月参加PASS峰会,请与微软的JC Cannon交谈。他正在开展合规会议,他是SQL Server合规性小组的负责人。他与目前正在建立加密提供商的供应商联系在一起,他或许可以与您讨论供应商名称。现在他们还没有公开宣布谁在做这件事。