Ah, something a recent study related to database backup, database backup should be considered to add a dense, ready from the Internet search to see what a good way, I did not expect quite chaotic. . .
First of all, I found from the Internet, and database backup encryption methods, there are three:
[1] Use With Password (2008 (inclusive))
When using the BACKUP statement, add the parameter [PASSWORD This method is suitable for previous versions of sql server 2012 (excluding 2012)]
But then, in fact, this encryption PASSWORD parameter, not the complete data encryption we imagined.
Case:
--备份 Backup Database [数据库] To disk='c:\mssql'+ replace(replace(replace(replace(CONVERT(varchar, getdate(), 121),'-',''),' ',''),':',''),'.','') +'.bak ' With Password = ' 123 ' , the init; - reducing the Restore Database [ database ] the From Disk = database backup file address With Password = ' 123 ' ;
According to the MSDN description: https://msdn.microsoft.com/zh-cn/library/ms186865(v=sql.100).aspx
This password is only seemingly attached to back up a password, do not encrypt your backup data, if the password is modified directly replaced, data backup can still be read correctly, it is, in fact, encryption is not very meaningful.
[Example 2] using the encryption TDE (2008 or more (inclusive))
2, enable transparent data encryption (TDE) on a database [This method is suitable for sql server 2008 and later (including 2008)]
Note: Only sql server enterprise (Enterprise Edition) support this feature.
The TDE it, ah, very good, because it is not just for backup encryption, which is the entire database is encrypted, but since it is "transparent", that will not affect any operations on the database, normal database operations (additions and deletions to change search What's), as well as backup and recovery or something, do not need special consideration encryption issues. Only leave the current database server, you will find, can not do anything. Need to import the original encryption certificate in the new server can be used normally.
MSDN Related documents: https://msdn.microsoft.com/zh-cn/library/bb934049.aspx
![IC715364[1]](http://images0.cnblogs.com/blog/490541/201505/221533531352143.gif "IC715364[1]")
To enable transparent encryption, you require the following steps:
[2.1] using TDE encryption backup instance
1, in the master database, the database master key is added:
More: https://msdn.microsoft.com/zh-cn/library/ms174382.aspx
USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = '$$test$$';
Wherein, Password = '', this is provided in the master key, the password must be set high according to intensity.
Modified master key may be used:
More: https://msdn.microsoft.com/zh-cn/library/ms186937.aspx
use master; ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = '$$123123$$';
2、在 master 数据库中,添加 加密数据库用的证书:
更多:https://msdn.microsoft.com/zh-cn/library/ms187798(v=sql.120).aspx
USE master; CREATE CERTIFICATE TestCert WITH SUBJECT = '测试证书';
其中,TestCert 是证书名称,可以根据需要随便起名,但是要记住!Subject 是主题貌似,随便写就可以了,长度最好不要超过128字节。
3、在 要加密的数据库 中,设置 证书以及加密算法:
更多:https://msdn.microsoft.com/zh-cn/library/bb677241.aspx
USE TestDB CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE TestCert;
其中,TestCert 就是上一步中添加的证书名称,Algorithm 是加密算法,有:AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY ,请根据需要选择强度适合的加密算法。
4、对 要加密的数据库 启用加密:
ALTER DATABASE TestDB SET ENCRYPTION ON;
嗯,经过以上步骤,对数据库的加密就完成了。
想要查看当前数据库服务器中有哪些数据库已被加密,可执行以下语句:
SELECT DB_NAME(database_id) AS DatabaseName, * FROM sys.dm_database_encryption_keys;
不过,还得考虑后续恢复数据库或者转移到其它服务器的问题。
5、首先要从 master 数据库中,备份加密证书:
更多:https://msdn.microsoft.com/zh-cn/library/ms178578.aspx
USE master; BACKUP CERTIFICATE TestCert TO FILE = 'D:\TestCert.cer' WITH PRIVATE KEY ( FILE = 'D:\TestCert.pkey', ENCRYPTION BY PASSWORD = '$$certpwd$$' );
嗯,(两个文件)证书名称,保存的文件名,同时保存一下私钥,私钥的文件名,以及加密私钥的密码(此密码用于保护私钥,恢复时使用)。
【2.2】使用TDE加密还原从库(以便可以还原备份库的备份文件)
6、在其他数据库服务器中,仍然首先建立 数据库主密钥,同第1步操作;
7、然后,开始从文件中恢复证书:
USE master; CREATE CERTIFICATE TestCert FROM FILE = 'D:TestCert.cer' WITH PRIVATE KEY ( FILE = 'D:TestCert.pkey', DECRYPTION BY PASSWORD = '$$certpwd$$');
是的,恢复证书其实就是从文件创建证书,证书名称、文件路径、私钥文件路径、以及解密私钥的密码(备份加密时设置的)。
8、然后你就可以附加数据库、恢复数据库什么的了~
需要注意的是,数据库加密的关键是 那个证书,数据库主密钥 是用来保护数据库信息的,比如证书的存放什么的,并不直接关系到数据库的加密。
所以,一定要备份好证书!!!不然别到时候哭着解密不了数据库。
这个部分的参考文章:http://blog.csdn.net/ws_hgo/article/details/6927152
最后呢,说说这个方法的不好,那就是这个方法是对整个数据库的数据加密,包括日志什么的,可能会为cpu带来一定的负担。
而且在备份的时候因为此时数据库已经处于加密状态,所以无法进行太多的压缩了,可能备份文件体积较大。
其实我比较关心的一点是,这个 透明数据加密(TDE) 只有 Enterprise (企业版)拥有,其它版本是木有的~
【3】使用算法+证书直接加密备份文件
3、直接对备份进行加密【此方法适用于 sql server 2014 及以后的版本(应该?)】
这个方法和第一种比较像,直接在备份时加参数,仅仅对备份加密,不会加密数据库,但是呢,也需要跟第二种方法一样,需要先创建证书。
1、算了,要不我就不重复写了,请看第二种方法的第1步。。。
2、请参见第二种方法的第2步。。。
3、恩恩,此时就可以开始备份数据库了!
BACKUP DATABASE TestDB TO DISK ='D:TestDB.bak' WITH COMPRESSION, ENCRYPTION (ALGORITHM = AES_256, SERVER CERTIFICATE = TestCert);
其中,前半句应该很熟悉,就是备份数据库的语句,Compression 是压缩选项
后半句就是加密,Algorithm 是加密算法,TestCert 就是我们添加的证书了。
备份就这样建完了。当然也得涉及到在其它服务器上的恢复问题。
4、好吧,我又懒了,其实就是第二种方法中的第 5、6、7 步,备份证书,恢复证书。。。
5、嗯,又可以愉快的恢复备份了~
这个部分的参考文章:http://www.cnblogs.com/CareySon/p/3853016.html
实战案例:
SQL 自2008(还是2005)之后,推出加密功能,可以一定程度上保护数据库的备份安全。 以下测试环境为:sql server 2014 主要目的:将备份的文件加密,在其它电脑上恢复时必须有证书和密钥才可恢复 --1 创建证书 create CERTIFICATE BackupCertificate2 with subject=N'Test certificate' -- 创建密钥 create master key encryption by password = 'AA@123'--2 备份主密钥 backup master key to file=N'g:\db\testbas.cer' encryption by password=N'AAA@123'--3 备份 证书和密钥文件 backup CERTIFICATE BackupCertificate2 to file=N'G:\DB\BackupCertificate2.cert' with private key ( file=N'g:\db\master_key2.cer', encryption by password=N'AAA@123' ) --恢复 证书和密钥,(首先将上面备份的两个文件,复制到需还原的电脑上) 复制代码 --4、从备份文件中创建证书和密钥 create certificate BackupCertificate from file =N'c:\sql\BackupCertificate2.cert' with private key ( file=N'C:\SQL\master_key2.cer', decryption by password=N'AAA@123', encryption by password=N'AAA@123' )
呵呵,前面说了这么多,其实直接说这个多好,是吧,首先在版本方面,比TDE多了两个版本,但是还是没有我想要的。。。
其次呢,压缩也可以用的上了,不过备份压缩与备份加密支持的版本是一样的。。。
还有呢,只支持 2014(和以后的版本?),想必现在应该有不少数据库还是 2008 甚至 2005。。。
总结
所以说呢,其实这几个方法都不是太满意。。。大家就根据自己的情况使用吧,至于我呢。。。根据我的需求,我准备还是用zip压缩加密一下吧。。。
Hey, I wasted a morning research database backup encryption, but also a waste of a noon of this writing, considered a morning White did not waste it, perhaps to spend it later. . .