SQL Server TDE on Mirror and Log Shipping

Today in our Virtual Chapter meeting for VCDBA, I presented on SQL Server Encryption including TDE.  The question was posed as to whether or not the TDE would take affect if the mirror was established first and then you enabled TDE on the database.  I was not sure at the time only because I had not done any tests, so I did not want to say yes or no unless I could substantiate it.

I set off to do some tests.  First I created a Mirrored database using the demo code from the VC presentation.

Now once the database is created on instance 1 I backed up the database and a log backup. Then restored it to the second instance with it’s log with no recovery. Once it was primed and ready, I established a mirror and saw the database was synchronized.  Now the trick is to use create the components to establish the Encryption Hierarchy.

Now that we have the MASTER KEY and the Certificate in place, you need to backup the certificate to a set of files and restore it to the second instance.

NOW CHANGE TO THE SECOND INSTANCE

Now that you have the Encryption Hierarchy established for both instances, let’s encrypt the database.

What will happen in the Mirror is that it will encrypt the database, even though you won’t be able to see it.  When it is fully encrypted, and you fail the database over in the Mirror, it will indicate that the database is encrypted. On the Principal you can see it with the query below.

Now for the Log Shipping copy

To establish the test for the Log Shipping, do the same as you did for the mirror but restore the Full, then the Log with Standby so that you can see that it flags it as encrypted.  First establish the Log Shipping without encryption set up, and once you are in Standby on the Shipped side, you can use the existing Certificate to test the idea of encryption afterwards.

Steps:

  1. CREATE DATABASE
  2. SET Recovery Model to Full
  3. Backup Database
  4. Backup Log
  5. Change to second instance
  6. RESTORE DATABASE with NORECOVERY
  7. RESTORE LOG WITH STANDBY
  8. Change to first instance
  9. USE TESTTDELOGSHIPPING
  10. CREATE DATABASE ENCRYPTION KEY
  11. ALTER DATABASE TESTTDELOGSHIPPING SET ENCRYPTION ON
  12. BACKUP LOG
  13. Change to second instance
  14. RESTORE LOG TESTTDELOGSHIPPING WITH STANDBY
  15. Run the above query to see if the database is encrypted. You will see is_encrypted = 1

This shows that the Mirroring and Log Shipping processes are affected by the Database Encryption Process.

Happy Encrypting….!

sys.dm_db_index_physical_stats Easter Egg

I was reading through documentation on the DMV sys.dm_db_index_physical_stats and found that there are a couple of things you need to be aware of when using this DMV.  First, we know that there are parameters for the DMV. Parameters Database Id Object ID Index Id Partition Id Level of interrogation (DEFAULT, LIMITED, DETAILED, SAMPLED, NULL… Continue Reading

MCM SQL Server 2008 Achieved

Another step in my career as I have passed the Lab Exam and have become an MCM in SQL Server 2008.  I believed I could achieve it after passing my knowledge exam the first time. The first attempt at the lab was back in October and it was disappointing to find out that I did… Continue Reading

Log Shipping encounters corrupt log backup

I ran into an issue the other day and wanted to ensure that I shared it out there.  In a Log Shipping scenario, you can occasionally run into a corrupt transaction log backup. This causes the database to stay in restoring mode (as mine was previously in a standby/read-only state for reporting), but requires the… Continue Reading

Powershell, SMO and Database Files

In response to some questions about renaming a physical file for a database, I have 2 versions of Powershell scripts that do this for you, including taking the database offline and then online to make the physical change match the meta-data. First, there is an article about this at http://msdn.microsoft.com/en-us/library/ms345483.aspx.  This explains that you start… Continue Reading

The Best Thing I Learned at PASS

Being that I have never missed a PASS Summit yet (in the US), I thought I would share my experience about last PASS and previous PASS conferences. I attended a Pre-Con with Kalen Delaney on Query Tuning and Plan Guides. I also remember sessions last PASS that were very relevant to my job. Each year… Continue Reading

Skip to toolbar