Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Migration Tasks

Migration of Transparent Database (TDE)

search
printsuggest an edit

Migration of Transparent Database (TDE)

copy link to clipboardTDE Live Migration

The live migration steps are run on an up and running database.

Before performing the following steps for Live Migration, ensure that DSM backup is successfully restored into the CipherTrust Manager. Add the VKM_mode parameter and set the corresponding value to no in cakm_mssql_ekm.properties file.

Note

Use a key name other than that used with VKM. The user executing the commands below must have credentials mapped to their login with a username/password combination that exists on the CipherTrust Manager and that user must have at least Key Admins privileges.

  1. Fetch the keys from the CipherTrust Manager using the following commands:

    USE Master;

CREATE ASYMMETRIC KEY `<new_asym_key_name>`
FROM PROVIDER `<cakm_ekm_provider_name>`
WITH
PROVIDER_KEY_NAME = '<key_name_on_cm>',
CREATION_DISPOSITION=OPEN_EXISTING

  2. Create TDE Login and add credentials.

    CREATE LOGIN <tde_login_name>
FROM ASYMMETRIC KEY <new_asym_key_name>;

CREATE CREDENTIAL <tde_cred_name>
WITH IDENTITY = '<domain_name||cm_username>',
SECRET = '<cm_password>'
FOR CRYPTOGRAPHIC PROVIDER <cakm_ekm_provider_name>;

ALTER LOGIN <tde_login_name>
ADD CREDENTIAL <tde_cred_name>;

  3. Rotate the Database Encryption Key (DEK).

    Note

    <algorithm_name> used for DEK should be same as that was used with VKM.

    • For Microsoft SQL Server versions 2016 and above, use the below command to rotate the DEK.

      USE <db_name>

ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM=<algorithm_name>

ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY <new_asym_key_name>

      Note

      Here, ALTER DATABASE ENCRYPTION KEY REGENERATE WITH ALGORITHM=<algorithm_name> is optional as it rekeys the database that may take time depending on the resource of the system and the size of the database.

    • For Microsoft SQL Server versions below 2016.

      USE <db_name>

ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = <algorithm_name>
ENCRYPTION BY SERVER ASYMMETRIC KEY <new_asym_key_name>;

    With this, TDE is enabled on <db_name> with CAKM for Microsoft SQL EKM provider.

copy link to clipboardTDE Passive Migration

Passive migration steps are run on a restored MS SQL database backup.

Before performing the following steps for Passive Migration, ensure that DSM backup is successfully restored into the CipherTrust Manager.

  1. Update the VKM_mode parameter, set the corresponding value to yes in cakm_mssql_ekm.properties file, and restart the Microsoft SQL Server Service.

  2. Fetch the restored Asymmetric Key from the CipherTrust Manager, using the following commands:

    USE Master;

CREATE ASYMMETRIC KEY `<new_asym_key_name>`
FROM PROVIDER `<cakm_ekm_provider_name>`
WITH
PROVIDER_KEY_NAME = '<key_name_on_cm>',
CREATION_DISPOSITION=OPEN_EXISTING

    Note

    Use a key name other than that was used with VKM.

  3. Create TDE Login and add credentials.

    CREATE LOGIN <tde_login_name>
FROM ASYMMETRIC KEY <new_asym_key_name>;

CREATE CREDENTIAL <tde_cred_name>
WITH IDENTITY = '<domain_name||cm_username>',
SECRET = '<cm_password>'
FOR CRYPTOGRAPHIC PROVIDER <cakm_ekm_provider_name>;

ALTER LOGIN <tde_login_name>
ADD CREDENTIAL <tde_cred_name>;

  4. Before restoring the database, ensure that the database backup is copied to the desired Microsoft SQL Server node. Now, restore the database <db_name> using the below command.

    RESTORE DATABASE <DB Name> FROM DISK = '<backup_file_path>\<backup_file_name>.bak' WITH REPLACE;

  5. Set the ENCRYPTION OFF for database <db_name>.

    Use <db_name>;

ALTER DATABASE <db_name>
SET ENCRYPTION OFF;

  6. Drop the Database Encryption Key (DEK).

    DROP DATABASE ENCRYPTION KEY;

  7. Set the database recovery mode from FULL to SIMPLE.

    USE master;

ALTER DATABASE <db_name> SET RECOVERY SIMPLE WITH NO_WAIT

  8. Set the VKM_Mode property to no in the cakm_mssql_ekm.properties file and restart the Microsoft SQL Server service.

  9. Create a new Asymmetric key for the database <db_name>.

    USE master;

CREATE ASYMMETRIC KEY <new_key_name>
FROM PROVIDER <cakm_ekm_provider_name>
WITH ALGORITHM = <algorithm_name>,
PROVIDER_KEY_NAME = '<key_name_on_cm>',
CREATION_DISPOSITION=CREATE_NEW

    Note

    <algorithm_name> should be same as that was used with VKM.

  10. Create new TDE login and credential.

    CREATE LOGIN <new_tde_login_name>
FROM ASYMMETRIC KEY <new_asym_key_name>;

CREATE CREDENTIAL <new_tde_cred_name>
WITH IDENTITY = '<domain_name||cm_username>',
SECRET = '<cm_password>'
FOR CRYPTOGRAPHIC PROVIDER <cakm_ekm_provider_name>;

ALTER LOGIN <new_tde_login_name>
ADD CREDENTIAL <new_tde_cred_name>;

  11. Create a new DEK for the database <db_name>.

    USE <db_name>

CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = <algorithm_name>
ENCRYPTION BY SERVER ASYMMETRIC KEY <new_asym_key_name>;

  12. Set the ENCRYPTION ON for database <db_name>.

    Use <db_name>;
ALTER DATABASE <db_name>
SET ENCRYPTION ON;

  13. Set the database recovery mode from SIMPLE to FULL.

    USE master;
ALTER DATABASE <db_name> SET RECOVERY FULL WITH NO_WAIT

    With this, TDE is enabled on <db_name> with CAKM for Microsoft SQL EKM provider.

On this page