上篇留下了一個問題,如何將已啓用TDE的數據庫加入AG?https://blog.csdn.net/Hehuyi_In/article/details/102926952
實際上TDE for AlwaysOn分兩種情況:
- 對已在AG中的數據庫啓用TDE
- 已啓用TDE的數據庫加入AG(更復雜)
注意如果在數據庫鏡像、日誌傳送、AlwaysOn中使用TDE,則主從數據庫都將被加密,不必顯式啓用輔助數據庫加密,事務日誌在它們之間發送時將被加密。
一、 對已在AG中的數據庫設置TDE
注意以下步驟如果已經有的則不需要再建,否則會報錯
1. 主節點建DMK
無域alwayson已創建,此步可忽略
USE MASTER
GO
-- Create a Master Key
CREATE MASTER KEY ENCRYPTION BY Password = '<password>';
-- Backup the Master Key
BACKUP MASTER KEY
TO FILE = '\\<PRIMARYSERVERNAME>\E$\MSSQL\TDE\<PRIMARYSERVERNAME>_BACKUPKEY'
ENCRYPTION BY Password = '<password>';
2. 主節點建證書
無域alwayson已創建,此步可忽略
-- Create Certificate Protected by Master Key
CREATE Certificate TDECert WITH Subject = 'TDE_CERT';
-- Backup the Certificate
BACKUP Certificate TDECert
TO FILE = 'C:\TDE\TDECert_backup'
WITH Private KEY (FILE = 'C:\TDE\TDECert_key',
ENCRYPTION BY Password = 'xxx');
3. 主節點建DEK
USE testag
GO
-- Create a Database Encryption Key
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE TDECert;
GO
4. 從節點創建及備份DMK
無域alwayson已創建,此步可忽略
-- 檢查DMK是否已存在
USE MASTER;
GO
SELECT * FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##'
-- 若不存在則創建
CREATE MASTER KEY ENCRYPTION BY Password = '<password>';
-- 備份DMK
BACKUP MASTER KEY
TO FILE = '\\<SECONDARYSERVERNAME>\E$\MSSQL\TDE\<SECONDARYSERVERNAME>_BACKUPKEY'
ENCRYPTION BY Password = '<password>';
5. 從節點創建及備份證書
無域alwayson已創建,此步可忽略
-- Create Certificate Protected by Master Key
CREATE CERTIFICATE TDECert
FROM FILE = 'C:\TDE\TDECert_backup'
WITH PRIVATE KEY (FILE = 'C:\TDE\TDECert_key',
DECRYPTION BY PASSWORD = 'xxx');
GO
-- Backup the Certificate
BACKUP Certificate TDECert
TO FILE = 'C:\TDE\TDECert_backup'
WITH Private KEY (FILE = 'C:\TDE\TDECert_key',
ENCRYPTION BY Password = 'xxx');
6. 主節點啓用TDE
ALTER DATABASE testag SET ENCRYPTION ON;
7. 檢查加密情況
USE MASTER;
GO
SELECT db.name,db.is_encrypted,dm.encryption_state,dm.percent_complete,dm.key_algorithm,dm.key_length
FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id;
主節點
從節點
二、 已啓用TDE的數據庫加入AG
更復雜,無法使用嚮導工具將TDE加密庫加入AG,只能手動添加。
1. 主節點建DMK
無域alwayson已創建,此步可忽略
-- 主節點是否存在DMK
USE master;
GO
SELECT * FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##'
-- 若不存在則創建
CREATE MASTER KEY ENCRYPTION BY Password = '<password>';
2. 主節點備份證書
無域alwayson已創建,此步可忽略
-- 證書是否存在
USE master;
GO
SELECT db_name(database_id) DatabaseName,cer.name as CertificateName
FROM sys.dm_database_encryption_keys dek INNER JOIN sys.certificates cer ON dek.encryptor_thumbprint = cer.thumbprint
WHERE db_name(database_id) ='<TDE_DATABASE>'
-- 備份證書
BACKUP Certificate <PRIMARYSERVERNAME>_CERT TO FILE = '\\<PRIMARYSERVERNAME>\E$\MSSQL\TDE\<PRIMARYSERVERNAME>_BACKUPCERT'
WITH Private KEY (FILE = '\\<PRIMARYSERVERNAME>\E$\MSSQL\TDE\<PRIMARYSERVERNAME>_PRIVKEY',ENCRYPTION BY Password = '<password>');
3. 從節點利用主節點的證書備份創建新證書
需要先將主庫證書拷貝至從庫再創建,無域alwayson已創建,此步可忽略
-- Create Certificate Protected by Master
CREATE CERTIFICATE TDECert
FROM FILE = 'C:\TDE\TDECert_backup'
WITH PRIVATE KEY (FILE = 'C:\TDE\TDECert_key',
DECRYPTION BY PASSWORD = 'xxx');
GO
4. 主節點將DB加入AG
ALTER AVAILABILITY GROUP <AGNAME> ADD DATABASE <TDE_DATABASE>;
5. 主節點做DB全備+日誌備份
全備
日誌備份
備份文件傳至備庫
6. 從節點,還原全備及日誌備份
還原全備,注意選項選restore with norecovery
db狀態變爲正在還原
還原事務日誌,注意選項同樣選restore with norecovery
此時DB狀態還是正在還原
7. 從節點將DB加入AG
USE master;
go
ALTER DATABASE PlanError SET HADR AVAILABILITY GROUP = TESTAG;
測試也可看到數據已同步
參考
https://www.sqlservercentral.com/articles/enabling-tde-on-databases-in-an-alwayson-scenario