SQL Server 2014 Backup Encryption

转载自： Microsoft MVP Award Program Blog

来源：Microsoft MVP Award Program Blog 的博客：https://blogs.msdn.microsoft.com/mvpawardprogram/2014/06/02/sql-server-2014-backup-encryption/

How does backup encryption work ?

There is no encryption without keys, and backup encryption is no exception : we first need to create a Database Master Key (DMK) of the master system database, and a certificate. The DMK is a symmetric key, and is unique to each database in each SQL Server instance : we cannot restore an encrypted backup file on a distinct or re-installed SQL Server instance without the master system database DMK (or an encrypted database without its DMK).

 

数据库备份文件加密是如何工作的？

加密必须要使用秘钥，SQL备份文件加密也不例外。

我们首先需要在系统数据库master上创建一个database master key（DMK）以及一张证书。

DMK是一个对称秘钥，并且在每个SQL实例的每个数据库都是唯一的。在master系统数据库不存在DMK的情况下，我们无法使用加密的备份文件（或者加密的数据库），在不同的SQL实例或者重新安装的SQL实例上进行还原。

 

The Database Master Key is encrypted by the AES 256 algorithm, using the Service Master Key, which is also a symmetric key. It is encrypted based on the SQL Server service account credentials and the Windows Data Protection API machine key. The Service Master Key is unique per SQL Server instance, and created during SQL Server installation. It is stored in the master system database and in the user database, so as to enable its automatic decryption (cf. sys.symmetric_keys system view).

 

DMK使用SMK、AES 256算法进行加密，它也是一个对称秘钥。加密基于SQL实例的启动账号证书和Windows数据保护API机器秘钥。SMK在每个SQL实例下是唯一的，随SQL实例的安装同时生成。它保存在master系统数据库以及用户数据库中，为了达到自动解密的目的。（查阅系统视图sys.symmetric_keys system view）

 

Finally, a Certificate contains a public key that is digitally signed, and may contain a private key. This private key is protected by the DMK. While SQL Server can generate IETF X.509v3-compliant certificates, it also allows to use certificates generated by third-parties (cf. sys.certificates system view).

 

最终，一张证书包含一个数字签名的公钥，并可能包含一个私钥。这个私钥受到DMK的保护。SQL Server能够生成IETF X.509v3-兼容证书，这种类型允许使用第三方生成的证书。

 

We can summarize the encryption hierarchy levels with the following diagram :

以下是加密的层级架构：

 

The backup process works on a data page basis : it copies data pages from the data files into the backup file. Since SQL Server 2008, we can compress database backups. This feature is supported by an algorithm similar to the ones behind file compression software : it factorizes patterns of data found in the data pages. Whether the backup data pages are compressed or not, SQL Server 2014 is able to encrypt these pages with the AES 128, AES 192, AES 256 or Triple DES algorithms.

 

备份程序以数据页为最小单元进行工作：将数据页复制到备份文件中。从SQL Server 2008之后，数据库备份文件支持压缩功能。这个特性被一种和文件压缩软件相似的算法支持：it factorizes patterns of data found in the data pages。无论备份文件的数据页是否使用被压缩，SQL Server 2014都能够使用AES 128, AES 192, AES 256 or 三重 DES算法加密这些数据页。

 

Encrypting a database backup in T-SQL

In this example, we will use the Contoso demo database. The code needed to take an encrypted database backup is following the steps described in the previous section. First of all, we must backup the service master key :

 

使用T-SQL代码加密数据库备份文件

以下示例中，我们将使用名为Contoso的数据库进行演示。首先，我们必须备份SMK：

USE master

GO

 

— 将SQL实例的 service master key备份到磁盘上

— 理想情况下, 此服务器主钥，应该存储在访问受到保护的，和数据库服务器不同的机器上。

BACKUP SERVICE MASTER KEY

TO FILE ='g:\service-master-key.key'

ENCRYPTION BY PASSWORD = ‘q1w2e3r4.smk’;

GO

 

We then have to create the master key, which again is straightforward. The password used to encrypt the master key can be different than the one used to encrypt the service master key backup file.

然后我们要在master数据库下创建主钥，这一步很简单。同时，你可以使用和SMK不同的密码值来加密（数据库）主钥。

 

— 创建一个新的数据库主钥 DMK

CREATE MASTER KEY

ENCRYPTION BY PASSWORD = 'q1w2e3r4.dmk'; --这个密码在之后使用open master key时，解密主钥时会用到（译者注）

GO

— 将数据库的主钥备份到磁盘上

— 理想情况下, 此数据库主钥，应该存储在访问受到保护的，和数据库服务器不同的机器上。

BACKUP MASTER KEY

TO FILE = 'g:\database(master)-master-key.key'

ENCRYPTION BY PASSWORD ='q1w2e3r4.dmk-1';

GO

 

We can confirm the creation of the master key by examining the sys.symmetric_keys system view : it now shows one, named ##MS_DatabaseMasterKey##. Next, we need to create the certificate, which is achieved with a single instruction :

 

我们可以通过查询系统视图：sys.symmetric_keys 来确认刚才创建的（数据库）主钥。正常的返回结果应该是一个名字包含##MS_DatabaseMasterKey##的记录。下一步，我们使用一句简单的単行命令创建证书：

USE master

GO

 

— 创建证书

CREATE CERTIFICATE Contoso_BackupEncryptionWithSQLServer2014

WITH SUBJECT = 'used for contoso db';

GO

 

Similarly, interrogating the sys.certificates system view in the master database context will now return a supplementary row, and the column pvt_key_encryption_type_desc indicates ENCRYPTED_BY_MASTER_KEY.

 

同样地，在master数据库中，查询系统视图sys.certificates将返回一行新的结果，其中名为pvt_key_encryption_type_desc列的值应该显示为：ENCRYPTED_BY_MASTER_KEY。

 

As for every key, we want to save the certificate : this requires to specify a private key file. It clearly implies that one does not work without the other. Here again, a password is required to cipher the certificate file, and optionally a different one can be defined for the decryption. This password is the public key of the certificate.

 

对于每一个秘钥，我们可以使用以下方法保存他的证书：这一步骤需要指定一个私钥文件。 It clearly implies that one does not work without the other。同样的，证书文件需要一个密码去加密它（证书本身）。另外一个可选的选项是，解密可以使用不同的密码。这个密码是证书的公钥。

 

— 保存证书

— 理想情况下, 此服务器主钥，应该存储访问受到保护的，和数据库服务不同的机器上。

BACKUP CERTIFICATE Contoso_BackupEncryptionWithSQLServer2014

TO FILE ='g:\cert.cert'

WITH PRIVATE KEY

        (

                FILE ='g:\private-key.key'

                , ENCRYPTION BY PASSWORD = 'q1w2e3r4.pk'

        );

GO

 

At this point, the groundwork is laid for taking encrypted backups. We have 4 files that we need to keep in a secure and distinct storage area :

 

进行到这一步，我们将获得以下4个文件：

1） service-master-key.key

2） database(master)-master-key.key

3） private-key.key

4） cert.cert

 

Backing up a database and ciphering the resulting file only requires us to choose an encryption algorithm and to specify the certificate we want to use :

之后，我们备份这个数据库，并且加密它的备份文件，很简单，只需要提供加密算法类型以及证书就行了：

— Backing up the ContosoRetailDW demo database, with encryption

BACKUP DATABASE ContosoRetailDW

TO DISK = 'g:\ContosoRetailDW_FULL_ENCRYPTED.bak'

WITH INIT, CHECKSUM, COMPRESSION, STATS = 1

, ENCRYPTION

(

ALGORITHM = AES_256

, SERVER CERTIFICATE = Contoso_BackupEncryptionWithSQLServer2014

)

Restoring a database from an encrypted backup file

 

Before we walk thorugh the restoration process, we must keep in mind that SQL Server 2014 introduces native backup encryption. Thus, restoring a database from a natively encrypted backup file on a version of SQL Server that is anterior to SQL Server 2014 is not supported.

 

使用加密的备份文件进行还原

在开始还原操作之前，我们必须理解SQL Server 2014本地备份文件加密技术是什么样子的。因此，想在比SQL Server 2014版本跟早的版本之上，使用加密的备份文件还原一个数据库是不支持的。

 

Restoring the database on the same SQL Server 2014 instance

 

Restoring a database from an encrypted backup file on the same SQL Server 2014 instance as the one on which its backup has been taken is operated as usual : all the keys and the certificate are already registered in the master database. Consequently, they are opened automatically when needed for decryption.

 

使用加密的备份文件，在同SQL实例下还原数据库。由于所有涉及到的钥匙都已经就位于master数据库中，因此当需要使用到他们时，会自动打开以及解密。

 

RESTORE DATABASE ContosoRetailDW_RestoredFromEncryptedBackupFile

FROM DISK = ‘E:\SQLServerBackup\ContosoRetailDW\ContosoRetailDW_FULL_ENCRYPTED.bak’

WITH MOVE ‘ContosoRetailDW2.0’ TO ‘E:\Contoso\ContosoRetailDW_EncrypteBackup_data.mdf’ --这里改成你的路径

, MOVE ‘ContosoRetailDW2.0_log’ TO ‘E:\Contoso\ContosoRetailDW_EncrypteBackup_log.ldf’ --这里改成你的路径

, STATS = 1