摘要:本期月報(bào)我們分享使用證書做數(shù)據(jù)庫備份加密的最佳實(shí)踐。加密差異備份數(shù)據(jù)庫差異備份加密,備份操作前,我們插入一條數(shù)據(jù),以供后續(xù)的測試數(shù)據(jù)校驗(yàn)。因?yàn)閿?shù)據(jù)庫備份文件已經(jīng)加密。
在SQL Server安全系列專題月報(bào)分享中,我們已經(jīng)分享了:如何使用對稱密鑰實(shí)現(xiàn)SQL Server列加密技術(shù)、使用非對稱密鑰實(shí)現(xiàn)SQL Server列加密、使用混合密鑰實(shí)現(xiàn)SQL Server列加密技術(shù)、列加密技術(shù)帶來的查詢性能問題以及相應(yīng)解決方案、行級別安全解決方案和SQL Server 2016 dynamic data masking實(shí)現(xiàn)隱私數(shù)據(jù)列打碼技術(shù)這六篇文章,文章詳情可以參見往期月報(bào)。本期月報(bào)我們分享使用證書做數(shù)據(jù)庫備份加密的最佳實(shí)踐。
談及數(shù)據(jù)庫安全性問題,如何預(yù)防數(shù)據(jù)庫備份文件泄漏,如何防止脫庫安全風(fēng)險(xiǎn),是一個非常重要的安全防范課題。這個課題的目的是萬一用戶數(shù)據(jù)庫備份文件泄漏,也要保證用戶數(shù)據(jù)的安全。在SQL Server中,2014版本之前,業(yè)界均采用的TDE技術(shù)來實(shí)現(xiàn)與防范脫庫行為,但是TDE的原理是需要將用戶所有的數(shù)據(jù)進(jìn)行加密后落盤,讀取時解密。這種寫入時加密,讀取時解密的行為,必然會導(dǎo)致用戶查詢性能的降低和CPU使用率的上升(具體對性能和CPU影響,可以參見這片測試文章SQL Server Transparent Data Encryption (TDE) Performance Comparison)。那么,我們一個很自然的問題是:有沒有一種技術(shù),既可以保證備份文件的安全,又能夠兼顧到用戶查詢性能和CPU資源的消耗呢?這個技術(shù)就是我們今天要介紹的數(shù)據(jù)庫備份加密技術(shù),該技術(shù)是SQL Server 2014版本首次引入,企業(yè)版本和標(biāo)準(zhǔn)版支持備份加密,Web版和Express版支持備份加密文件的還原。
創(chuàng)建測試數(shù)據(jù)庫
為了測試方便,我們專門創(chuàng)建了測試數(shù)據(jù)庫BackupEncrypted。
-- create test database IF DB_ID("BackupEncrypted") IS NOT NULL DROP DATABASE BackupEncrypted GO CREATE DATABASE BackupEncrypted ON PRIMARY (NAME = BackupEncrypted_data, FILENAME = N"E:SQLDATADATABackupEncrypted_data.mdf", SIZE = 100MB, FILEGROWTH = 10MB), FILEGROUP SampleDB_MemoryOptimized_filegroup CONTAINS MEMORY_OPTIMIZED_DATA ( NAME = BackupEncrypted_MemoryOptimized, FILENAME = N"E:SQLDATADATABackupEncrypted_MemoryOptimized") LOG ON ( NAME = BackupEncrypted_log, FILENAME = N"E:SQLDATADATABackupEncrypted_log.ldf", SIZE = 100MB, FILEGROWTH = 10MB) GO
創(chuàng)建測試表
在測試數(shù)據(jù)庫下,創(chuàng)建一張用于測試的表testTable,并插入一條隨機(jī)數(shù)據(jù)。
USE [BackupEncrypted] GO -- create test table and insert one record IF OBJECT_ID("dbo.testTable", "U") IS NOT NULL DROP TABLE dbo.testTable GO CREATE TABLE dbo.testTable ( id UNIQUEIDENTIFIER default NEWID(), parent_id UNIQUEIDENTIFIER default NEWSEQUENTIALID() ); GO SET NOCOUNT ON; INSERT INTO dbo.testTable DEFAULT VALUES; GO SELECT * FROM dbo.testTable ORDER BY id;
該條數(shù)據(jù)內(nèi)容如下截圖:
創(chuàng)建Master Key和證書
創(chuàng)建Master Key和證書,用于加密數(shù)據(jù)庫備份文件。
USE master GO -- If the master key is not available, create it. IF NOT EXISTS (SELECT * FROM sys.symmetric_keys WHERE name LIKE "%MS_DatabaseMasterKey%") BEGIN CREATE MASTER KEY ENCRYPTION BY PASSWORD = "MasterKey*"; END GO USE master GO -- create certificate CREATE CERTIFICATE MasterCert_BackupEncrypted AUTHORIZATION dbo WITH SUBJECT = "Backup encryption master certificate", START_DATE = "02/10/2017", EXPIRY_DATE = "12/30/9999" GO
備份證書
首先,將證書和證書密鑰文件備份到本地,最好它們脫機(jī)保存到第三方主機(jī),以免主機(jī)意外宕機(jī),導(dǎo)致證書文件丟失,從而造成已加密的備份文件無法還原的悲劇。
USE master GO EXEC sys.xp_create_subdir "C:Tmp" -- then backup it up to local path BACKUP CERTIFICATE MasterCert_BackupEncrypted TO FILE = "C:TmpMasterCert_BackupEncrypted.cer" WITH PRIVATE KEY ( FILE = "C:TmpMasterCert_BackupEncrypted.key", ENCRYPTION BY PASSWORD = "aa11@@AA") ;
加密完全備份
創(chuàng)建完Master Key和證書文件后,我們就可以做數(shù)據(jù)庫完全備份加密操作。
USE master; GO -- do full backup database with encryption BACKUP DATABASE [BackupEncrypted] TO DISK = N"C:TmpBackupEncrypted_FULL.bak" WITH COMPRESSION, ENCRYPTION ( ALGORITHM = AES_256, SERVER CERTIFICATE = MasterCert_BackupEncrypted), STATS = 10; GO
加密差異備份
數(shù)據(jù)庫差異備份加密,備份操作前,我們插入一條數(shù)據(jù),以供后續(xù)的測試數(shù)據(jù)校驗(yàn)。
USE [BackupEncrypted] GO -- insert another record SET NOCOUNT ON; INSERT INTO dbo.testTable DEFAULT VALUES; GO SELECT * FROM dbo.testTable ORDER BY id; USE master; GO --Differential backup with encryption BACKUP DATABASE [BackupEncrypted] TO DISK = N"C:TmpBackupEncrypted_DIFF.bak" WITH CONTINUE_AFTER_ERROR,ENCRYPTION ( ALGORITHM = AES_256, SERVER CERTIFICATE = MasterCert_BackupEncrypted), STATS = 10, DIFFERENTIAL; GO
差異備份操作前,校驗(yàn)表中的兩條數(shù)據(jù)如下圖所示:
加密日志備份
數(shù)據(jù)庫事物日志備份加密,備份前,我們照樣插入一條數(shù)據(jù),以供后續(xù)測試數(shù)據(jù)校驗(yàn)。
USE BackupEncrypted GO -- insert another record SET NOCOUNT ON; INSERT INTO dbo.testTable DEFAULT VALUES; GO SELECT * FROM dbo.testTable ORDER BY id; USE master; GO -- backup transaction log with encryption BACKUP LOG [BackupEncrypted] TO DISK = N"C:TmpBackupEncrypted_log.trn" WITH CONTINUE_AFTER_ERROR,ENCRYPTION ( ALGORITHM = AES_256, SERVER CERTIFICATE = MasterCert_BackupEncrypted), STATS = 10; GO
日志備份操作前,校驗(yàn)表中的三條數(shù)據(jù)如下圖所示:
查看備份歷史
數(shù)據(jù)完全備份、差異備份和日志備份結(jié)束后,查看備份歷史記錄。
use msdb GO -- check backups SELECT b.database_name, b.key_algorithm, b.encryptor_thumbprint, b.encryptor_type, b.media_set_id, m.is_encrypted, b.type, m.is_compressed, bf.physical_device_name FROM dbo.backupset b INNER JOIN dbo.backupmediaset m ON b.media_set_id = m.media_set_id INNER JOIN dbo.backupmediafamily bf on bf.media_set_id=b.media_set_id WHERE database_name = "BackupEncrypted" ORDER BY b.backup_start_date DESC
備份歷史信息展示如下:
從截圖中數(shù)據(jù)我們可以看出,三種備份都采用了證書做備份加密。
查看備份文件信息
備份歷史檢查完畢后,在清理測試環(huán)境之前,檢查備份文件元數(shù)據(jù)信息,可以成功查看,沒有任何報(bào)錯。
USE master GO -- before clean environment, try to get backup files meta info, will be success RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_FULL.bak" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_FULL.bak" RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_DIFF.bak" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_DIFF.bak" RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_log.trn" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_log.trn"
展示結(jié)果部分截圖如下:
清理環(huán)境
清理環(huán)境目的是模擬在一臺全新實(shí)例上還原數(shù)據(jù)庫備份文件。
use master GO -- let"s try to simulate a database crash, here we just drop this database. DROP DATABASE [BackupEncrypted]; GO -- and clean certificate and master key to simulate restore to a new instance. DROP CERTIFICATE MasterCert_BackupEncrypted; GO DROP MASTER KEY; GO
再次查看備份文件信息
清理掉證書和Master Key后,再次查看備份文件信息,此時會報(bào)錯。因?yàn)閿?shù)據(jù)庫備份文件已經(jīng)加密。這種報(bào)錯是我們所預(yù)期的,即就算我們的數(shù)據(jù)庫備份文件被脫庫泄漏,我們的數(shù)據(jù)也可以保證絕對安全,而不會非預(yù)期的還原回來。
USE master GO -- try to get backup files meta info again after clean environment, will be not success now. RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_FULL.bak" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_FULL.bak" RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_DIFF.bak" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_DIFF.bak" RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_log.trn" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_log.trn"
報(bào)錯信息類似如下:
Msg 33111, Level 16, State 3, Line 178 Cannot find server certificate with thumbprint "0xA938CE32CC86DFA6EAD2AED9429814F1A4C683ED". Msg 3013, Level 16, State 1, Line 178 RESTORE FILELIST is terminating abnormally. Msg 33111, Level 16, State 3, Line 179 Cannot find server certificate with thumbprint "0xA938CE32CC86DFA6EAD2AED9429814F1A4C683ED". Msg 3013, Level 16, State 1, Line 179 RESTORE HEADERONLY is terminating abnormally. Msg 33111, Level 16, State 3, Line 181 Cannot find server certificate with thumbprint "0xA938CE32CC86DFA6EAD2AED9429814F1A4C683ED". Msg 3013, Level 16, State 1, Line 181 RESTORE FILELIST is terminating abnormally. Msg 33111, Level 16, State 3, Line 182 Cannot find server certificate with thumbprint "0xA938CE32CC86DFA6EAD2AED9429814F1A4C683ED". Msg 3013, Level 16, State 1, Line 182 RESTORE HEADERONLY is terminating abnormally. Msg 33111, Level 16, State 3, Line 184 Cannot find server certificate with thumbprint "0xA938CE32CC86DFA6EAD2AED9429814F1A4C683ED". Msg 3013, Level 16, State 1, Line 184 RESTORE FILELIST is terminating abnormally. Msg 33111, Level 16, State 3, Line 185 Cannot find server certificate with thumbprint "0xA938CE32CC86DFA6EAD2AED9429814F1A4C683ED". Msg 3013, Level 16, State 1, Line 185 RESTORE HEADERONLY is terminating abnormally.
部分錯誤信息截圖如下:
還原證書文件
數(shù)據(jù)庫備份加密,可以有效防止脫庫泄漏的安全風(fēng)險(xiǎn)。當(dāng)然,合法用戶需要在新實(shí)例上成功還原加密備份文件。首先,創(chuàng)建Master Key;然后,從證書備份文件中,重新創(chuàng)建證書。
USE master GO -- so we have to re-create master key, the certificate and open the IF NOT EXISTS (SELECT * FROM sys.symmetric_keys WHERE name LIKE "%MS_DatabaseMasterKey%") BEGIN CREATE MASTER KEY ENCRYPTION BY PASSWORD = "MasterKey*"; END GO use master GO -- re-create certificate CREATE CERTIFICATE MasterCert_BackupEncrypted FROM FILE = "C:TmpMasterCert_BackupEncrypted.cer" WITH PRIVATE KEY (FILE = "C:TmpMasterCert_BackupEncrypted.key", DECRYPTION BY PASSWORD = "aa11@@AA"); GO
檢查備份文件信息
校驗(yàn)備份文件信息,已經(jīng)可以正確讀取。
USE master GO -- after re-create certificate, try to get backup files meta info again, will be success. RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_FULL.bak" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_FULL.bak" RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_DIFF.bak" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_DIFF.bak" RESTORE FILELISTONLY FROM DISK="C:TmpBackupEncrypted_log.trn" RESTORE HEADERONLY FROM DISK="C:TmpBackupEncrypted_log.trn"
還原已加密完全備份文件
首先,嘗試還原數(shù)據(jù)庫完全備份文件,成功。
USE [master] -- restore encrypted full backup RESTORE DATABASE [BackupEncrypted] FROM DISK = N"C:TmpBackupEncrypted_FULL.bak" WITH FILE = 1, MOVE "BackupEncrypted_data" TO N"E:SQLDATADATABackupEncrypted_data.mdf", MOVE "BackupEncrypted_MemoryOptimized" TO N"E:SQLDATADATABackupEncrypted_MemoryOptimized", MOVE "BackupEncrypted_log" TO N"E:SQLDATADATABackupEncrypted_log.ldf", NOUNLOAD, STATS = 5, NORECOVERY GO
還原已加密差異備份文件
其次,嘗試還原數(shù)據(jù)庫差異備份文件,成功。
-- Restore encrypted diff backup RESTORE DATABASE [BackupEncrypted] FROM DISK = N"C:TmpBackupEncrypted_DIFF.bak" WITH FILE = 1, MOVE "BackupEncrypted_data" TO N"E:SQLDATADATABackupEncrypted_data.mdf", MOVE "BackupEncrypted_MemoryOptimized" TO N"E:SQLDATADATABackupEncrypted_MemoryOptimized", MOVE "BackupEncrypted_log" TO N"E:SQLDATADATABackupEncrypted_log.ldf", NOUNLOAD, STATS = 5, NORECOVERY GO
還原已加密日志備份文件
再次,嘗試還原數(shù)據(jù)庫日志備份文件,成功。
-- restore encrypted transaction log backup RESTORE LOG [BackupEncrypted] FROM DISK = N"C:TmpBackupEncrypted_log.trn" WITH FILE = 1, MOVE "BackupEncrypted_data" TO N"E:SQLDATADATABackupEncrypted_data.mdf", MOVE "BackupEncrypted_MemoryOptimized" TO N"E:SQLDATADATABackupEncrypted_MemoryOptimized", MOVE "BackupEncrypted_log" TO N"E:SQLDATADATABackupEncrypted_log.ldf", NOUNLOAD, STATS = 10 GO
檢查測試表數(shù)據(jù)
最后,檢查測試表的三條測試數(shù)據(jù)。
USE [BackupEncrypted] GO -- double check the three records SELECT * FROM dbo.testTable ORDER BY id;
三條校驗(yàn)數(shù)據(jù)一致。
清理測試環(huán)境
清理掉我們的測試環(huán)境。
use master GO -- clean up the environment DROP DATABASE BackupEncrypted; GO DROP CERTIFICATE MasterCert_BackupEncrypted; GO DROP MASTER KEY; GO
本期月報(bào)我們分享了SQL Server 2014及以上版本如何使用證書實(shí)現(xiàn)數(shù)據(jù)庫備份加密技術(shù),在防范脫庫安全風(fēng)險(xiǎn)的同時,既能夠比較好的保證用戶查詢性能,又不會帶來額外CPU資源的消耗。
SQL Server Transparent Data Encryption (TDE) Performance Comparison
SQLServer · 最佳實(shí)踐 · 透明數(shù)據(jù)加密TDE在SQLServer的應(yīng)用
開啟TDE的RDS SQL Server還原到本地環(huán)境
Understanding Database Backup Encryption in SQL Server
閱讀原文
本文為云棲社區(qū)原創(chuàng)內(nèi)容,未經(jīng)允許不得轉(zhuǎn)載。
文章版權(quán)歸作者所有,未經(jīng)允許請勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除。
轉(zhuǎn)載請注明本文地址:http://systransis.cn/yun/11493.html
摘要:本期月報(bào)我們分享使用實(shí)現(xiàn)隱私數(shù)據(jù)列的打碼技術(shù)最佳實(shí)踐。最后總結(jié)本期月報(bào)我們分享了使用引入的新特性實(shí)現(xiàn)客戶數(shù)據(jù)打碼技術(shù),防止未授權(quán)用戶查看導(dǎo)出用戶關(guān)鍵隱私數(shù)據(jù),最大限度保證用戶數(shù)據(jù)安全性。 摘要 在SQL Server安全系列專題月報(bào)分享中,我們已經(jīng)分享了:如何使用對稱密鑰實(shí)現(xiàn)SQL Server列加密技術(shù)、使用非對稱密鑰加密方式實(shí)現(xiàn)SQL Server列加密、使用混合密鑰實(shí)現(xiàn)SQL S...
摘要:本次月報(bào)我們分享如何利用文件組技術(shù)來實(shí)現(xiàn)數(shù)據(jù)庫冷熱數(shù)據(jù)隔離備份的方案??梢葬槍ξ募M級別進(jìn)行備份和還原操作,更細(xì)粒度控制備份和還原策略。 摘要: 摘要 在SQL Server備份專題分享中,前四期我們分享了:三種常見的數(shù)據(jù)庫備份、備份策略的制定、如何查找備份鏈以及數(shù)據(jù)庫的三種恢復(fù)模式與備份之間的關(guān)系。本次月報(bào)我們分享SQL Server如何利用文件組技術(shù)來實(shí)現(xiàn)數(shù)據(jù)庫冷熱數(shù)據(jù)隔離備份的方...
摘要:在轉(zhuǎn)移到陣營之后,如果想在本機(jī)上安裝微軟的數(shù)據(jù)庫有三種方式第一種是在本機(jī)上安裝版本。微軟也提供了相應(yīng)的幫助文檔鏡像是微軟官方的,但奇怪的是并沒有把其標(biāo)示為。 在轉(zhuǎn)移到Mac OS X 陣營之后,如果想在本機(jī)上安裝微軟的mssql-server數(shù)據(jù)庫有三種方式: 第一種是在本機(jī)上安裝MSSQL for Linux 版本。 第二種是安裝Windows虛擬機(jī),然后在虛擬機(jī)里面使用ISO文件...
閱讀 2652·2021-11-11 16:54
閱讀 3627·2021-08-16 10:46
閱讀 3427·2019-08-30 14:18
閱讀 2986·2019-08-30 14:01
閱讀 2701·2019-08-29 14:15
閱讀 1982·2019-08-29 11:31
閱讀 3059·2019-08-29 11:05
閱讀 2565·2019-08-26 11:54