aws rds 加密_AWS RDS SQL Server中的透明数据加密（TDE）

aws rds 加密

In this article, we will review Transparent Data Encryption (TDE) in AWS RDS SQL Server. AWS RDS supports TDE on SQL Server Enterprise edition of 2012,2014,2016 and 2017 editions.

在本文中，我们将回顾AWS RDS SQL Server中的透明数据加密（TDE）。 AWS RDS在2012、2014、2016和2017版本SQL Server Enterprise版本上支持TDE。

The following are the steps involved in enabling Transparent Data Encryption (TDE) on Amazon RDS SQL Server instance.

以下是在Amazon RDS SQL Server实例上启用透明数据加密（TDE）所涉及的步骤。

Creating an option group and add Transparent Data Encryption (TDE) option 创建一个选项组并添加透明数据加密（TDE）选项
Associating the option group to the DB instance 将选项组与数据库实例相关联
Creating database encryption key (DEK) on the database and enable encryption on the database 在数据库上创建数据库加密密钥（DEK）并在数据库上启用加密

Let’s go over these steps one by one.

让我们一步一步地进行这些步骤。

创建一个选项组并添加TDE选项 (Creating an option group and add TDE option)

Log in to the AWS console. Search for RDS in the services and click on RDS managed relational database service as shown in the below image.

登录到AWS控制台。在服务中搜索RDS，然后单击RDS托管的关系数据库服务，如下图所示。

In the AWS RDS console, Click on Options Groups. This page shows a list of options groups which has default option groups created by the system and the custom option groups created by users.

在AWS RDS控制台中，单击选项组。 此页面显示选项组列表，这些选项组具有系统创建的默认选项组和用户创建的自定义选项组。

Now we need to create a custom option group.

现在我们需要创建一个自定义选项组。

Click on Create Group.

单击创建组。

Enter the name of the option group, description and select the engine as “sqlserver-ee” as Transparent Data Encryption (TDE) in RDS is supported only in SQL Server enterprise edition. Select the major engine version. If you are using SQL Server 2017 enterprise edition, then select the major version as 14.00. Click on Create button as shown below.

输入选项组的名称，描述并选择引擎作为“ sqlserver-ee”，因为RDS中的透明数据加密（TDE）仅在SQL Server企业版中受支持。选择主引擎版本。如果您使用的是SQL Server 2017企业版，请选择主要版本为14.00。单击创建按钮，如下所示。

Once the option group is created, navigate to ‘Option groups’ page in the AWS RDS console. Select the option you just created and click on the Add Option.

创建选项组后，请导航到AWS RDS控制台中的“选项组”页面。选择刚创建的选项，然后单击添加选项。

Select the option TRANSPARENT_DATA_ENCRYPTION and select Immediately in scheduling as the option group is a new one and there are no associated DB instances to the option group. Click on Add option.

选择选项TRANSPARENT_DATA_ENCRYPTION并选择“ 立即调度”，因为该选项组是新选项，并且该选项组没有关联的数据库实例。单击添加选项 。

将选项组与数据库实例相关联 (Associating the option group to the database instance )

Once we create the option group with option TRANSPARENT_DATA_ENCRYPTION, we need to associate the option group to the database instance.

使用选项TRANSPARENT_DATA_ENCRYPTION创建选项组后，我们需要将选项组与数据库实例相关联。

Click on the Databases in the RDS console to navigate to the databases page. In the databases page, you will see the list of database instances. Select the database instance on which you want to enable Transparent Data Encryption (TDE). Click on Modify.

点击数据库的RDS控制台导航到数据库页。在数据库页面中，您将看到数据库实例的列表。选择要在其上启用透明数据加密（TDE）的数据库实例。单击修改。

In the database options section, select the Option group you created above and click on Continue at the bottom of the page.

在数据库选项部分中，选择上面创建的选项组，然后单击页面底部的继续。

In the scheduling modifications section, select apply during the next scheduled maintenance window if you want to associate the option group to the database instance during the maintenance window.

如果要在维护窗口中将选项组与数据库实例相关联，请在“计划修改”部分中，在下一个计划的维护窗口中选择“应用”。

Select apply immediately if you want to associate the option group to the database instance immediately. Any other pending database instance modifications will also be applied along with the option group. The summary of modifications will show the list of the modifications. Please select the scheduling of modification option with care as some modifications may lead to database instance restart.

如果要立即将选项组与数据库实例相关联，请选择立即应用。任何其他挂起的数据库实例修改也将与选项组一起应用。修改摘要将显示修改列表。请谨慎选择修改时间表，因为某些修改可能会导致数据库实例重新启动。

As I am doing it for demo purpose, I am applying the modifications immediately. Click on Modify DB Instance.

在进行演示时，我将立即应用修改。单击修改数据库实例 。

The database instance will go into modifying state as soon as click on Modify DB Instance. Wait until the status is changed and instance becomes Available.

单击“ 修改数据库实例 ”后，数据库实例将进入修改状态。等待状态更改，实例变为Available 。

Once the instance is available, log in to the database instance using the SQL Server management studio.

实例可用后，使用SQL Server Management Studio登录数据库实例。

By default, a certificate is already created on the master database when you associate option group with TRANSPARENT_DATA_ENCRYPTION enabled to the DB instance.

默认情况下，将选项组与对数据库实例启用的TRANSPARENT_DATA_ENCRYPTION关联后，将在master数据库上创建证书。

The name of the certificate will be like “RDSTDECertificate” suffixed by timestamp. Please refer to the below image. We cannot create a certificate in the master database unlike in on-premises SQL Server. It throws error “user does not have permission to perform this action”

证书的名称类似于带有时间戳的“ RDSTDECertificate”。请参考下图。与本地SQL Server不同，我们无法在master数据库中创建证书。引发错误“用户无权执行此操作”

Execute the following script on the master database to know the name of the certificate.

在master数据库上执行以下脚本，以了解证书的名称。

USE [master]
GO
SELECT name FROM sys.certificates WHERE name LIKE 'RDSTDECertificate%'
GO

在数据库上创建数据库加密密钥（DEK）并在数据库上启用加密 (Creating database encryption key (DEK) on the database and enable encryption on the database)

Now we have the certificate in the master database which will be used to create the database encryption key.

现在，我们在主数据库中拥有证书，该证书将用于创建数据库加密密钥。

Use the database on which you are going to enable encryption and execute the following T-SQL script to create a database encryption key. In my case, the name of the certificate created on the master database is “RDSTDECertificate20190720T093919”. Replace the certificate name with yours.

使用要在其上启用加密的数据库，并执行以下T-SQL脚本来创建数据库加密密钥。就我而言，在主数据库上创建的证书的名称为“ RDSTDECertificate20190720T093919”。用您的替换证书名称。

USE [TDEDemo]
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE [RDSTDECertificate20190720T093919]
GO

Once the database encryption key is created, enable the database for encryption. Execute the following T-SQL script and replace “TDEDemo” with the name the database on which you are going to enable encryption.

创建数据库加密密钥后，请启用数据库加密。执行以下T-SQL脚本，并将“ TDEDemo”替换为要在其上启用加密的数据库的名称。

ALTER DATABASE [TDEDemo]
SET ENCRYPTION ON
GO

Execute the following script to verify if the encryption on the database is enabled or not.

执行以下脚本以验证是否启用了数据库加密。

USE [master]
GO
SELECT name FROM sys.databases WHERE is_encrypted = 1
GO
SELECT db_name(database_id) as DatabaseName, * FROM sys.dm_database_encryption_keys
GO

在AWS RDS实例上删除透明数据加密（TDE） (Removing Transparent Data Encryption (TDE) on AWS RDS instance)

We cannot modify the instance to associate to the default option group when an encrypted object exists in the database. To change the associated option group to default or another option group with Transparent Data Encryption (TDE) disabled, we must remove encryption on the databases.

当数据库中存在加密对象时，我们无法修改实例以将其关联到默认选项组。要将关联的选项组更改为默认选项组，或将另一个选项组更改为禁用“透明数据加密（TDE）”，我们必须删除数据库上的加密。

To disable TDE on the instance, remove the databases from encryption first. Execute the following script to remove encryption on the database.

要在实例上禁用TDE，请先从加密中删除数据库。执行以下脚本以删除数据库上的加密。

ALTER DATABASE [TDEDemo]
SET ENCRYPTION OFF
GO

Check if the decryption is completed or not. Execute the following query. encryption_state should be 1

检查解密是否完成。执行以下查询。 encryption_state应该为1

SELECT db_name(database_id) as DatabaseName, * FROM sys.dm_database_encryption_keys
GO

Drop the encryption key on the database.

将加密密钥放在数据库上。

USE [TDEDemo]
GO
DROP DATABASE ENCRYPTION KEY
GOALTER DATABASE [TDEDemo] SET RECOVERY SIMPLE
GO

Once all the objects in the database are decrypted and encrypted logs are truncated, you can modify the database instance to associate the default option group to the database instance.

一旦解密了数据库中的所有对象并且截断了加密的日志，就可以修改数据库实例以将默认选项组与数据库实例相关联。

结论 (Conclusion )

In this article, we explored how to enable Transparent Data Encryption (TDE) option in AWS RDS SQL Server and enable the database for encryption using the default certificate created in the master database. In case you have any questions, please feel free to ask in the comment section below.

在本文中，我们探讨了如何在AWS RDS SQL Server中启用透明数据加密（TDE）选项，以及如何使用在master数据库中创建的默认证书对数据库进行加密。如果您有任何疑问，请随时在下面的评论部分中提问。

翻译自: https://www.sqlshack.com/transparent-data-encryption-tde-in-aws-rds-sql-server/

aws rds 加密