Installing CTE on Microsoft SQL AlwaysOn
This section describes how to implement CTE with Microsoft SQL AlwaysOn in a variety of configurations for primary and secondary replica servers, and assumes that you have a basic understanding of Microsoft SQL database.
You may want to keep the primary server decrypted to serve all users, and use the secondary database for running reports or backups.
-
If the database is encrypted, then the Volume Shadow copy-related backups will snapshot and backup encrypted protected data.
-
Administrators with the
apply_key
permission can run a query and pull down reports from the secondary database server without affecting the performance of the primary database server. -
The secondary server could be in a remote Data Recovery location. You may want to secure it with encryption.
-
LDT is supported with SQL AlwaysOn. See Using LDT with SQL AlwaysOn for more information.
Methods for Initial Encryption
There are multiple methods for performing the initial encryption of the databases. Decide on which of the following methods best fits your environment. For more information on transforming data, see the CTE-Live Data Transformation with Data Security Manager.
-
Data Transformation – Encrypt data in place
-
Backup and Restore to a GuardPoint
-
Copy and paste the data into a GuardPoint
Configuration 1
-
Databases on primary server and secondary replica servers require encryption
-
Database name and location of secondary replica server are the same as the primary server
To perform the procedure:
-
Perform a full backup of the primary database.
-
Change the primary database to offline mode.
-
Confirm the creation of a data transformation and/or standard policy.
-
Guard the folder containing the primary database files with that policy:
-
If using 'Encrypt data in place' as the selected method of encryption, execute the data transformation and then apply the standard policy.
-
If using the 'Copy/Restore ' method of encryption, apply the standard policy on an empty folder/device.
-
-
On the secondary server, create a new folder to store the replicated database.
The folder name and the path must be the same as the primary server.
-
Guard the folder with the standard policy.
-
Perform step 4 above for additional secondary server(s).
-
Put the primary database back into online mode.
-
Setup SQL AlwaysOn High Availability group to perform FULL Data Synchronization.
This copies the primary database and replicates it to secondary replica servers.
-
Verify that the databases in the secondary server are in “Synchronized” mode.
Configuration 2
-
Database on the primary server does not require encryption, but the secondary replica database requires it
-
Database names and locations for the secondary replica servers are the same as the primary server
To perform the procedure:
-
Perform a full backup of the primary database.
-
Confirm the creation of a data transformation and/or standard policy.
-
On the secondary server, create a new folder to store the replicated database.
The folder name and the path must be the same as the primary server.
-
Guard the folder with the standard policy.
-
Perform step 3 & 4 above for additional secondary server(s).
-
Setup SQL AlwaysOn High Availability group to perform FULL Data Synchronization.
This copies the primary database and replicates it to secondary replica servers.
-
Verify that the databases in the secondary server are in “Synchronized” mode.
Configuration 3
-
Databases on the primary and secondary replica servers require encryption
-
Database name is the same, but the location of the secondary replica server is in a different location from that of the primary server
To perform the procedure:
-
Perform a full backup of the primary database.
-
Change the primary database to offline mode.
-
Confirm the creation of a data transformation and/or standard policy.
-
Guard the folder containing the primary database files with that policy:
-
If using 'Encrypt data in place' as the selected method of encryption, execute the data transformation and then apply the standard policy.
-
If using the 'Copy/Restore ' method of encryption, apply the standard policy on an empty folder/device.
-
-
On the secondary server, create a new folder to store the replicated database.
The folder name and the path must be the same as the primary server.
-
Guard the folder with the encryption policy.
-
From secondary server, perform the restore to the primary database.
-
Select the options Restore with norecovery and Relocate all files to folder.
-
Specify the path of the new folder from step 5.
-
-
Repeat steps 4 & 5 above for any additional secondary server(s).
-
Setup SQL AlwaysOn High Availability group to perform JOIN ONLY Data Synchronization.
This joins the secondary database to the SQL Always High Availability Group. It also establishes replication of new data and logs from the primary to the secondary replicated server.
-
Verify that the databases in the secondary server are in Synchronized mode.
Configuration 4
-
Database on the primary server does not require encryption, but the secondary replica database requires encryption
-
Database name is the same, but the location on the secondary replica server is in a different location than that of the primary server
To perform the procedure:
-
Perform a full backup of the primary database.
-
Confirm the creation of a data transformation and/or standard policy.
-
On the secondary server, create new folder to store the replicated database.
-
Guard the folder with the standard policy.
-
From secondary server, perform restore the primary database:
-
Select the options Restore with norecovery and Relocate all files to folder.
-
Specify the path of the new folder from step.
-
-
Setup SQL AlwaysOn High Availability group to perform JOIN ONLY Data Synchronization.
Joins the secondary database to the SQL Always HA Group. It also establishes replication of new data and logs from the primary to the secondary replicated server.
-
Verify that the databases in the secondary server are in Synchronized mode.
Configuration 5
Following is an alternative method for protecting data in a MS SQL Server AlwaysON environment.
To perform the procedure:
-
Shut down SQL services completely, on the secondary node.
It is important to shut down the secondary node first, in order to keep the assignments the same.
-
Shut down SQL services completely on the primary node.
-
Create GuardPoints, using Data Transformation policies, on the directories containing the databases to be encrypted in the primary node.
Perform encrypt-in-place encryption on each directory.
-
Create GuardPoints, using Data Transformation policies, on the directories containing the databases to be encrypted in the secondary node.
Perform encrypt-in-place encryption on each directory.
-
Delete the GuardPoints, using Data Transformation policies, from the primary node.
-
Create GuardPoints, using operational policies, on the four directories in the primary node.
-
Delete GuardPoints, using Data Transformation policies, from the secondary node.
-
Create GuardPoints, using operational policies, on the four directories in the secondary node.
-
Activate SQL services on the primary node.
-
Activate SQL services on the secondary node.