SQLBalls

Thursday, April 28, 2011

Transparent Data Encryption & Backwards Compatibility

We were working with Chris Mitchell (Twitter) from the Microsoft Technology Center in Atlanta the other day, out of the Microsoft Office in Tampa. The Office Has a Beautiful and very distracting view, see the picture below, of the Bay area, my friend Dan Taylor(blog|Twitter) took the photo.

One of those views that makes you love living in Florida!

But I digress, we were having a really great conversation about features that are enabled or disabled when you enter a database into 80 Compatibility level, but are running on a 2008 R2 Instance.

When having discussions you typically throw things out by features (or at least that is what I’ve heard people do), Database Compression will not work, Filestream will not work, Encryption will not work. But when we brought up encryption I asked does that mean Transparent Data Encryption will not work. Neither of us knew off hand.

I’ve presented on this topic so I’ve got some scripts on standby, so I opened one up fired it off, changed the Compatibility Level, and it still worked.

“So Balls”, you say “Prove It.”

Dear Reader I wouldn’t have it any other way!

AND….. HERE….. WE…… GO!

First we’ll create our Demo Database

Create TDE Database for demo

USE master

IF EXISTS(select * from sys.databases where name=N'TDE')

BEGIN

DROP DATABASE TDE

END

CREATE DATABASE TDE

When we use Transparent Data Encryption we need to First Create a Master Key and a Certificate in the Master Database.

Create the Master Key for the

SQL Server

USE master

CREATE MASTER KEY ENCRYPTION BY PASSWORD='brad1'

Create the Certificate that will be used

for database level encryption

CREATE CERTIFICATE DatabaseCertificate WITH SUBJECT='NunyaBiznes'

Now that we’ve got those let’s alter our databases compatibility level to 80, SQL 2000.

USE TDE

Let's Alter Our Database

And Place It in 80,SQL 2000,

Compatability Mode

ALTER DATABASE TDE

SET COMPATIBILITY_LEVEL = 80

Now let’s Create our table, and Insert some data. You’ll see that I have default values set up to simulate an SSN.

Create Table for filler data

IF EXISTS(SELECT * FROM SYS.tables WHERE name='tdeData')

BEGIN

DROP TABLE dbo.tdeData

END

CREATE TABLE dbo.tdeData(

ID int IDENTITY(1,1) NOT NULL

,nameText varchar(100) default 'fakeSSN'

,ssnText varchar(100) default '111-11-1111'

,fillerText char(5000) default 'a'

)

Create filler data for TDE demo

DECLARE @i int

SET @i = 0

WHILE (@i < 15000)

BEGIN

INSERT INTO tdeData DEFAULT VALUES

SET @i = @i +1

END

I do this in Demo’s because I want people to see that when you insert data into a Data File or a back it up to a Backup File, the data is in plain text. That is part of the reason you use TDE, because it adds an additional layer of protection. So let’s backup our data Pre Encryption, and look at it in a Hex Editor.

Look at that there is our social security number 111-11-1111! Now let’s double check our Compatibility Level.

And now let’s enable encryption. We create a Database Encryption Key using our Certificate we made earlier, and specify our algorithm. Then we set the database encryption to on.

Create Database Encryption Key

USE TDE

CREATE DATABASE ENCRYPTION KEY

WITH ALGORITHM = AES_256

ENCRYPTION BY SERVER CERTIFICATE DatabaseCertificate

Set The Encryption On

ALTER DATABASE TDE

SET ENCRYPTION ON

We’ll use a DMV to validate the encryption process that SQL MVP Jasper Smith(blog) wrote that I’ve loved to use for years now.

SELECT

CASE e.encryption_state

WHEN 0 THEN 'No database encryption key present, no encryption'

WHEN 1 THEN 'Unencrypted'

WHEN 2 THEN 'Encryption in progress'

WHEN 3 THEN 'Encrypted'

WHEN 4 THEN 'Key change in progress'

WHEN 5 THEN 'Decryption in progress'

END AS encryption_state_desc,

e.percent_complete,

DB_NAME(e.database_id) AS DatabaseName,

c.name as CertificateName,

e.encryption_state

FROM sys.dm_database_encryption_keys AS e

LEFT JOIN master.sys.certificates AS c

ON e.encryptor_thumbprint = c.thumbprint

You just execute this after you set Encryption On and watch the internal process work, the size of the database will determine how long it runs. For a large database this is a great DMV to show you just how long the process is taking. And now we are encrypted!

So let’s do another backup and open that up in a Hex Editor to see if we can find our SSN.

And as you can see our file space looks quite a bit different, and we couldn’t find the string for our SSN

WHAT IN THE NAME OF PRO-WRESTLING DOES THIS MEAN!?

First off it means that if you have to keep your database in 80 Compatibility Level, you can still use Transparent Data Encryption to secure your backups and your Data Files at rest. Your log files will be encrypted too, but this occurs at a VLF, virtual log file, level. So the full log will not be encrypted until all VLF's have been over written.

Some other pretty cool possibilities, I asked Paul Randal (blog|twitter) what part of the Storage Engine handled the Encryption and Decryption of pages.

I know Access Methods handles Compression, because the pages are stored in memory in a Compressed State before being passed back to the Relational Engine. But Pages are decrypted when stored in memory? So I didn’t think it was the Access Methods.

Paul confirmed that it was indeed the Buffer Manager that handles TDE.

So that leads me to think some ROCKING things may be possible, if you know what the Buffer Manager IS COOKIN!

Thanks,

Brad

Tuesday, April 26, 2011

SQL Saturday 74 Jacksonville, Last Stop before SQL Rally

This Saturday is SQL Saturday #74 in Jacksonville, FL. This will be the last time that I present on Data Compression in SQL Server, before SQL Rally in May.

This will be my first time in Jacksonville, but I’ve been told by many experienced SQL Saturday Alumni that the location is beautiful, and the event is always a good one. We are on the University of North Florida Campus, in the College of Computing and Engineering Building, for the address Click Here.

There is a great line up for this SQL Saturday. You’ve got great Community Leaders & MVP’s like Kevin Boles (twitter), Andy Warren (blog|twitter), Plamen Ratchev (blog|twitter), Kendal Van Dyke (blog|twitter), Don Stevic (blog|twitter), Adam Jorgensen (twitter), Jose Chinchilla (blog|twitter), Troy Gallant (blog|twitter), Brian Knight , and many many more. I also have it on good authority that this Balls fellow will be there. For the full event schedule Click Here.

So far over 450 people have pre-registered to Attend, and you can be one of them the cost is A WHOLE LOTTA NOTHIN! That’s right Dear Reader, the only cost is your time, you showing up and getting free training in SQL from the cast listed above, Click Here to Register.

This is also the last SQL Saturday in the US before SQL Rally, and I’m psyched.

“But Balls,” you say, ”What if I’m not going to SQL Rally?”

Even more reason to attend! Some of the presentations given today will be given at the Rally! Not only that, but your feedback can help make the SQL Rally better.

Every presentation I do I look for feedback to figure out if there is anything for my presentation that I’m missing or could be doing differently.

So come out and enjoy a day of free training with your peers, discuss SQL, and if you find a place to leave feedback help influence the presenters to be better at what we do!

Thanks,

Brad

Monday, April 25, 2011

Cloudy With A Chance of SQL

We’ve all heard the phrases “The Cloud” and that Microsoft is “All in on the Cloud”. We manage SQL Server, we Develop on SQL Server, and we support SL Servers. We make our living supporting a product that our companies use that was made by Microsoft. Some are predicting that the Cloud will change the world, and plenty more just don’t buy it.

“So Balls,” you say,”As DBA’s what does this Cloud thing mean for us?”

Well Dear Reader it means learning something new, which is always a good thing. The Cloud offers us SQL Azure.

WHO IS THIS SQL AZURE, AND WHO SAID HE COULD TAKE ~~MY BIRD SEED~~ DATABASES

SQL Azure is a totally different version and build of SQL, depending on the release you could get a different version number but executing SELECT @@VERSION should return 10.25.****.

SQL Azure by default disables DMO’s that work below an instance level. You set up a SQL Azure Server, which is a logical container similar to a SQL Instance. However, this is not the type of server that you would create Multiple instances on. Your database will be automatically replicated to three separate locations, load balanced, and supported by High Availability.

While those features are all sound pretty sweet, there are quite a few things that you cannot do, to see the list click here.

One thing that won’t be going out of style with anyone that uses Azure is from the Database on up. By that I mean Indexing, Performance Tuning, and general Database Design.

NOTHING TO SEE HERE

I think one of the biggest drawbacks to the cloud is that you cannot look at the DMO commands or Perfmon for anything at a server level. If an application starts to have a hiccup, the database and its performance normally come in to question at some point. Having access to Server level objects helps us to know things are doing good, or not so good.

Then again, Azure is something new. First we don’t always virtualize it. Second if we virtualize it, we don’t cluster and replicate it to three different locations. Third we don’t LOAD BALANCE it.

So if we did have access to the server, there may be a lot of new things we would have to teach ourselves. Personally I’d like that opportunity, but that could just be me.

So we’ve got to Trust Dear Reader that everything is going just fine with the servers. I’m sure there is a support staff we could contact if need be, but not having done that before I could not tell you the cost nor how to do it.

SQL VS SQL

So let’s take a look at some of the Pro’s and Con’s to this

Pro’s

Time Savings – You won’t be setting up database jobs, no SQL Agent, no Maintenance Tasks

HA/DR- Your High Availability is built in, replicated 3 times, Clustered, Load Balanced, and if one of your Virtual Machines Fails, another will be spun right up.

Hardware-You can stand up Hardware much faster, you don’t have to cost out the depreciation of hardware, you are charged by the usage. Grant Fritchey (Blog|Twitter) wrote about the Cost of SQL Azure, go read that for more great info!

SLA’s-Microsoft has been working with Internet Facing Applications for quite some time, cough cough MSN, Hotmail, Microsoft.com, Technet, I hope you get the point. They have published SLA’s that guarantee 99.95% uptime.

Security-When you go to MVA to learn about Azure there is a Security Model, that show’s how Microsoft is going above and beyond to provide a secure data center experience.

Con’s

Server Access- As we discussed before, your trouble shooting will only go so deep, you won’t be able to look at his for yourself.

No SQL Agent- Okay I get you want to take server management because you’re doing that, but how do I defragment my Indexes, what if I want to run a batch script, or have a job to update statistics.

Trust- When my boss says take a look at that SQL Server and see if anything is wrong, I’m limited, unless I involve boots on the ground that I don’t have a current working relationship with. This will probably get tackled over time, but it does take time.

Lack of features- I posted that earlier, but there are things like XML, Filestream, and Encryption that some applications will need to have.

“So Balls”, you say “Do we use this or what?”

The places I see this being of most benefit, if you have a business group that needs to move fast, you can have a SQL Server, or app servers for that matter, set up in the blink of an eye and the swipe of a credit card. I can see some places this will work great. And I can see some places this will not. I’m going to Total Recall it here Dear Reader, you’ve got to decide on your own, and like just about everything else SQL “It Depends”.

GO LEARN SOMETHING ALREADY!

Right now the Microsoft Virtual Academy is offering free training courses in Cloud technologies. I would recommend you sign up and take the courses. There are video’s, PDF’s and quizzes on Introduction To SQL Azure, Introduction to Windows Azure, Planning, Building and Managing a Private Cloud, and Windows Azure Security Overview.

(By the way everyone end's up being #1 when you take All the tests, while I'd love to be super special you'll get to be #1 as well)

I’ve already taken my training and it was well spent time! Go and learn something!

Thanks,

Brad