Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Migration Tasks

Migration of Transparent Database (TDE)

search

Migration of Transparent Database (TDE)

TDE Live Migration

The live migration steps are run on an up and running database.

Before performing the following steps for Live Migration, ensure that DSM backup is successfully restored into the CipherTrust Manager. Add the VKM_mode parameter and set the corresponding value to no in cakm_mssql_ekm.properties file.

Note

Use a key name other than that used with VKM. The user executing the commands below must have credentials mapped to their login with a username/password combination that exists on the CipherTrust Manager and that user must have at least Key Admins privileges.

  1. Fetch the keys from the CipherTrust Manager using the following commands:

    USE Master;

CREATE ASYMMETRIC KEY `<new_asym_key_name>`
FROM PROVIDER `<cakm_ekm_provider_name>`
WITH
PROVIDER_KEY_NAME = '<key_name_on_cm>',
CREATION_DISPOSITION=OPEN_EXISTING

  2. Create TDE Login and add credentials.

    CREATE LOGIN <tde_login_name>
FROM ASYMMETRIC KEY <new_asym_key_name>;

CREATE CREDENTIAL <tde_cred_name>
WITH IDENTITY = '<domain_name||cm_username>',
SECRET = '<cm_password>'
FOR CRYPTOGRAPHIC PROVIDER <cakm_ekm_provider_name>;

ALTER LOGIN <tde_login_name>
ADD CREDENTIAL <tde_cred_name>;

  3. Rotate the Database Encryption Key (DEK).

    Note

    <algorithm_name> used for DEK should be same as that was used with VKM.

    • For Microsoft SQL Server versions 2016 and above, use the below command to rotate the DEK.

      USE <db_name>

ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM=<algorithm_name>

ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY <new_asym_key_name>

      Note

      Here, ALTER DATABASE ENCRYPTION KEY REGENERATE WITH ALGORITHM=<algorithm_name> is optional as it rekeys the database that may take time depending on the resource of the system and the size of the database.

    • For Microsoft SQL Server versions below 2016.

      USE <db_name>

ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = <algorithm_name>
ENCRYPTION BY SERVER ASYMMETRIC KEY <new_asym_key_name>;

    With this, TDE is enabled on <db_name> with CAKM for Microsoft SQL EKM provider.

TDE Passive Migration

Passive migration steps are run on a restored MS SQL database backup.

Before performing the following steps for Passive Migration, ensure that DSM backup is successfully restored into the CipherTrust Manager.

  1. Update the VKM_mode parameter, set the corresponding value to yes in cakm_mssql_ekm.properties file, and restart the Microsoft SQL Server Service.

  2. Fetch the restored Asymmetric Key from the CipherTrust Manager, using the following commands:

    USE Master;

CREATE ASYMMETRIC KEY `<new_asym_key_name>`
FROM PROVIDER `<cakm_ekm_provider_name>`
WITH
PROVIDER_KEY_NAME = '<key_name_on_cm>',
CREATION_DISPOSITION=OPEN_EXISTING

    Note

    Use a key name other than that was used with VKM.

  3. Create TDE Login and add credentials.

    CREATE LOGIN <tde_login_name>
FROM ASYMMETRIC KEY <new_asym_key_name>;

CREATE CREDENTIAL <tde_cred_name>
WITH IDENTITY = '<domain_name||cm_username>',
SECRET = '<cm_password>'
FOR CRYPTOGRAPHIC PROVIDER <cakm_ekm_provider_name>;

ALTER LOGIN <tde_login_name>
ADD CREDENTIAL <tde_cred_name>;

  4. Before restoring the database, ensure that the database backup is copied to the desired Microsoft SQL Server node. Now, restore the database <db_name> using the below command.

    RESTORE DATABASE <DB Name> FROM DISK = '<backup_file_path>\<backup_file_name>.bak' WITH REPLACE;

  5. Set the ENCRYPTION OFF for database <db_name>.

    Use <db_name>;

ALTER DATABASE <db_name>
SET ENCRYPTION OFF;

  6. Drop the Database Encryption Key (DEK).

    DROP DATABASE ENCRYPTION KEY;

  7. Set the database recovery mode from FULL to SIMPLE.

    USE master;

ALTER DATABASE <db_name> SET RECOVERY SIMPLE WITH NO_WAIT

  8. Set the VKM_Mode property to no in the cakm_mssql_ekm.properties file and restart the Microsoft SQL Server service.

  9. Create a new Asymmetric key for the database <db_name>.

    USE master;

CREATE ASYMMETRIC KEY <new_key_name>
FROM PROVIDER <cakm_ekm_provider_name>
WITH ALGORITHM = <algorithm_name>,
PROVIDER_KEY_NAME = '<key_name_on_cm>',
CREATION_DISPOSITION=CREATE_NEW

    Note

    <algorithm_name> should be same as that was used with VKM.

  10. Create new TDE login and credential.

    CREATE LOGIN <new_tde_login_name>
FROM ASYMMETRIC KEY <new_asym_key_name>;

CREATE CREDENTIAL <new_tde_cred_name>
WITH IDENTITY = '<domain_name||cm_username>',
SECRET = '<cm_password>'
FOR CRYPTOGRAPHIC PROVIDER <cakm_ekm_provider_name>;

ALTER LOGIN <new_tde_login_name>
ADD CREDENTIAL <new_tde_cred_name>;

  11. Create a new DEK for the database <db_name>.

    USE <db_name>

CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = <algorithm_name>
ENCRYPTION BY SERVER ASYMMETRIC KEY <new_asym_key_name>;

  12. Set the ENCRYPTION ON for database <db_name>.

    Use <db_name>;
ALTER DATABASE <db_name>
SET ENCRYPTION ON;

  13. Set the database recovery mode from SIMPLE to FULL.

    USE master;
ALTER DATABASE <db_name> SET RECOVERY FULL WITH NO_WAIT

    With this, TDE is enabled on <db_name> with CAKM for Microsoft SQL EKM provider.

On this page