译:如何成功恢复TDE加密过的数据库
问题:
解决方案:
使用TDE创建新的SQL Server数据库
USE [master]; GO -- Create the database master key -- to encrypt the certificate CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'FirstServerPassw0rd!'; GO -- Create the certificate we're going to use for TDE CREATE CERTIFICATE TDECert WITH SUBJECT = 'TDE Cert for Test'; GO -- Back up the certificate and its private key -- Remember the password! BACKUP CERTIFICATE TDECert TO FILE = N'C:\SQLBackups\TDECert.cer' WITH PRIVATE KEY ( FILE = N'C:\SQLBackups\TDECert_key.pvk', ENCRYPTION BY PASSWORD = 'APrivateKeyP4ssw0rd!' ); GO -- Create our test database CREATE DATABASE [RecoveryWithTDE]; GO -- Create the DEK so we can turn on encryption USE [RecoveryWithTDE]; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE TDECert; GO -- Exit out of the database. If we have an active -- connection, encryption won't complete. USE [master]; GO -- Turn on TDE ALTER DATABASE [RecoveryWithTDE] SET ENCRYPTION ON; GO
这将启动数据库上的加密过程。请注意我为数据库主密钥指定的密码。正如所暗示的那样,当我们在第二台服务器上执行恢复时我将使用不同的密码,不需要拥有相同的密码,但需要拥有相同的证书,我们将在查看恢复过程中的“陷阱”时了解这一点。即使在基本为空的数据库上,加密数据库也需要几秒钟的时间。可以通过以下查询查询加密的状态:
-- We're looking for encryption_state = 3 -- Query periodically until you see that state -- It shouldn't take long SELECT DB_Name(database_id) AS 'Database', encryption_state FROM sys.dm_database_encryption_keys;
当encryption_state显示为3时,您应该对数据库进行备份,因为我们将需要它来恢复到第二台服务器(您的路径可能不同):
-- Now backup the database so we can restore it -- Onto a second server BACKUP DATABASE [RecoveryWithTDE] TO DISK = N'C:\SQLBackups\RecoveryWithTDE_Full.bak'; GO
Failed Restore - No Key, No Certificate
-- Attempt the restore without the certificate installed RESTORE DATABASE [RecoveryWithTDE] FROM DISK = N'C:\SQLBackups\RecoveryWithTDE_Full.bak' WITH MOVE 'RecoveryWithTDE' TO N'C:\SQLData\RecoveryWithTDE_2ndServer.mdf', MOVE 'RecoveryWithTDE_log' TO N'C:\SQLData\RecoveryWithTDE_2ndServer_log.mdf'; GO
Failed Restore - The Same Certificate Name, But Not the Same Certificate
-- Let's create the database master key and a certificate with the same name -- But not from the files. Note the difference in passwords CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'SecondServerPassw0rd!'; GO -- Though this certificate has the same name, the restore won't work CREATE CERTIFICATE TDECert WITH SUBJECT = 'TDE Cert for Test'; GO -- Since we don't have the corrected certificate, this will fail, too. RESTORE DATABASE [RecoveryWithTDE] FROM DISK = N'C:\SQLBackups\RecoveryWithTDE_Full.bak' WITH MOVE 'RecoveryWithTDE' TO N'C:\SQLData\RecoveryWithTDE_2ndServer.mdf', MOVE 'RecoveryWithTDE_log' TO N'C:\SQLData\RecoveryWithTDE_2ndServer_log.mdf'; GO
请注意数据库主密钥密码(与第一台机器上的主密钥密码)是的不同,这两个主密钥的密码这是不同的,但这不是我们在恢复中失败的原因。和之前的情况一样,我们没有正确的证书。结果,您将得到与前一种情况相同的错误。
Failed Restore - The Right Certificate, but Without the Private Key
这将出现一个不同的界面,您应该查看权限选项卡。如果您看到它,请单击Continue按钮。如果UAC打开,你会看到它。
现在您将打继承选项。注意我圈出来的东西。如果框未选中,如下图所示,这意味着取消继承。如果您的文件就是这种情况,请单击复选框,并在每个接口单击OK以重新打开继承。
现在让我们尝试恢复证书,但故意忘记使用私钥进行恢复。在从文件创建证书之前,必须先删除刚刚创建的证书。
-- Let's drop the certificate and do the restore of it... -- But without the private key DROP CERTIFICATE TDECert; GO -- Restoring the certificate, but without the private key. CREATE CERTIFICATE TDECert FROM FILE = 'C:\SQLBackups\TDECert.cer' GO -- We have the correct certificate, but not the private key. -- This should fail as well. RESTORE DATABASE [RecoveryWithTDE] FROM DISK = N'C:\SQLBackups\RecoveryWithTDE_Full.bak' WITH MOVE 'RecoveryWithTDE' TO N'C:\SQLData\RecoveryWithTDE_2ndServer.mdf', MOVE 'RecoveryWithTDE_log' TO N'C:\SQLData\RecoveryWithTDE_2ndServer_log.mdf'; GO
我们有正确的证书,但是没有私钥,SQL Server不能用它来解密数据库。结果,我们得到一个不同的错误,告诉我们这个键有问题。错误提示密钥似乎已损坏,但我们知道真正的问题:我们没有恢复密钥。
The Successful Restore
-- Let's do this one more time. This time, with everything, -- Including the private key. DROP CERTIFICATE TDECert; GO -- Restoring the certificate, but without the private key. CREATE CERTIFICATE TDECert FROM FILE = 'C:\SQLBackups\TDECert.cer' WITH PRIVATE KEY ( FILE = N'C:\SQLBackups\TDECert_key.pvk', DECRYPTION BY PASSWORD = 'APrivateKeyP4ssw0rd!' ); GO -- We have the correct certificate and we've also restored the -- private key. Now everything should work. Finally! RESTORE DATABASE [RecoveryWithTDE] FROM DISK = N'C:\SQLBackups\RecoveryWithTDE_Full.bak' WITH MOVE 'RecoveryWithTDE' TO N'C:\SQLData\RecoveryWithTDE_2ndServer.mdf', MOVE 'RecoveryWithTDE_log' TO N'C:\SQLData\RecoveryWithTDE_2ndServer_log.mdf'; GO
一切就绪,我们终于成功了!
第二个要求不应该令人惊讶,因为这是将数据库恢复到不同服务器的标准要求。
Next Steps
- Read up on some more points you should know about implementing TDE in SQL Server 2008.
- Learn how to configure TDE in SQL Server 2012 when using Availability Groups.
- Understand how to set up encrypted backups in SQL Server 2014 for cases where you can't use TDE.