Use TDE with SQL Server in Windows Azure virtual machines

Editorial Staff Note: This article is written by Sung Hsueh, senior project manager, SQL Server team.

One of the most recent uses of SQL Server is to create managed SQL using the Windows Azure infrastructure services of http://www.aliyun.com/zixun/aggregation/11208.html ">microsoft" Server's Windows Azure virtual machine. After launching the SQL Server 2008 R2 Enterprise Edition and SQL Server 2012 Enterprise Edition in Windows Azure virtual machines, you now have the option to use our enterprise-level features, such as SQL Server auditing and transparent data encryption, for minute billing and preconfigured, Ready to deploy Windows Azure virtual machine! Of course, if you like, you can still choose to take advantage of these features through a mobile license to continue to use the existing software security or Enterprise Agreement license instead of the minute billing.

Use TDE with SQL Server in Windows Azure virtual machines

Here's a quick walkthrough of transparent data encryption to see how to configure it. First, create a Windows Azure virtual machine that has SQL Server installed by using the Windows Azure Management Portal:

Now start creating the database!

If you want to add encryption to a database, the next few steps will be the same as the steps to run SQL Server locally:

1. Log on to the computer with the credentials of the user who can create the object in the master database

2. Run the following DDL ("Use MASTER") in the MASTER database:

CREATE MASTER
KEY encryption by PASSWORD = ' < your password > ';

Go

CREATE
Certificate Tdeservercert with SUBJECT = ' My TDE certificate ';

Go

3. Switch to the database you want to encrypt

4. Run the following DDL:

CREATE DATABASE Encryption KEY with
Algorithm = aes_256 encryption by SERVER certificate Tdeservercert;

Go

ALTER database [your database name] SET encryption on;

Go

Done！ The encryption will run in the background (you can check Sys.dm_database_encryption_keys). This is exactly the same as your internal deployment SQL Server instance, with no difference. Similarly, you can continue to use SQL Server auditing as you would in a local deployment.

Other security considerations

Here are some other things to keep in mind, and be sure to follow the best security practices. Issues to consider include:

reduces perimeter applications by disabling unnecessary services use Policy-based management capabilities to detect security conditions (such as using weak algorithms) to minimize permissions whenever possible, avoid using built-in accounts or groups (such as SA or sysadmin), and consider using SQL Server auditing to track administrative actions If you plan to use encryption, consider creating a key aging/rotation policy, starting with the service master key to consider using SSL encryption, especially when connecting to SQL Server through a public endpoint in Windows Azure, consider SQL Server port 1433 for the default instance Change to a different port, especially when connecting to SQL Server through a common endpoint in Windows Azure (preferably to avoid external connections to SQL Server instances entirely through the public Internet)

Concluding remarks ...

Running the SQL Server Enterprise Edition in Windows Azure virtual machines allows you to extend the best security practices and expertise in existing applications, running applications in the cloud with Microsoft Windows Azure And only pay for the part you use, including the Enterprise version, by the minute billing option. ）。 Try it quickly and tell us your experience!