A service from Red Gate

in
Home SQL .NET SysAdmin Opinion Blogs Forums Books About
Sign in | Join | Help
Home Blogs Forums
Blogs Home > John Magnabosco > Encryption and Backup Files

John Magnabosco

SQL Server Development and Data Security

Encryption and Backup Files

Published Wednesday, July 01, 2009 10:24 AM

In the efforts to protect sensitive data there are some considerations that expand beyond its storage within database; more specifically, the backup files that are generated through the database backup process. Backup files are often kept on devices or media that are removed from the database server and stored in a separate location. If not properly secured these devices can be stealthily snatched away, exposing the backup files contained within.

If you were to open a backup file in a program like Notepad, your first impression is that the file contains a bunch of garbley-gunk resulting in the false perception that any plain text sensitive data in the backup file cannot be disclosed by simply scanning the raw backup file. In reality, the data in the database that is stored in plain text is not modified and appears in the backup files as plain text.

To see this for yourself, obtain a plain text value that has not been encrypted or hashed in your database, such as a credit card number or Social Security Number. Open your most recent backup file in an editor like Notepad, Wordpad or Textpad and perform a search for that value. You will discover that the sensitive data that is in plain text within the database also is in plain text in the backup file.

Microsoft SQL Server 2008, Enterprise Edition, introduced Transparent Data Encryption (TDE)  as a new feature that was designed to address this issue. This feature encrypts the physical files of the database. This includes any backup files that are generated through the native backup functionality.

The Database Encryption Key (DEK) is a key that was introduced to the encryption key hierarchy in support of the TDE feature. The DEK encrypts the physical files using one of the following algorithms:

  • Advanced Encryption Standard (AES) using key length options of 128, 192 or 256 bit.
  • Triple DES 3 Key which is an expanded key length version of Triple DES using a 192 bit key.

For a more in depth exploration of TDE and backup/recovery, check out my blog entry with the title "TDE: Under The Hood With Backup".

For those who do not have Microsoft SQL Server 2008, Enterprise Edition, or do not wish to implement TDE, the need to protect your database backup files remains. There are many third-party backup products available on the market that provide encryption to the backup files that they generate. Three popular options are:

LiteSpeed for SQL Server (Quest Software: Price not published)
This product encrypts backup files using:

  • Advanced Encryption Standard (AES) which uses a 256 bit key.

The encryption feature of this product has been available for many versions. The current version of this product is 5.1 which added features such as the ability to define when to perform a differential or full backup, support for SQL Server 2000/2005 Standard Edition, native log shipping conversion and more. For more details on the latest release check out Quest Software's release information page.

SQL Safe Backup (Idera: $1,195 - estimated)
This product offers the user a choice of the algorithm used to protect the backup files. The available options are:

  • Data Encryption Standard (DES) which uses a 64 bit key. (not recommended)
  • Triple DES which uses a 168 bit key.
  • RC2 which uses a 128 bit key.
  • Advanced Encryption Standard (AES) which uses a 256 bit key.

The AES 256 bit key encryption option is new with its current version, 5.0, which became available on June 29, 2009. This version also provides log shipping as new functionality. For more details on the latest version of this product, check out Idera's "What's New" page.

SQL Backup Pro (Red-Gate Software: $795 - estimated)
This product encrypts backup files using:

  • Advanced Encryption Standard (AES) algorithm with an option of 128 or 256 bit key length.

The encryption features of this product have existed since its initial release. Version 4 introduced the 256 bit key option. At the time of this blog entry the current version is 5.4. Version 6.0 is slated for release this Summer. This new release will include features such as handling of network outages during backup, "self-healing" log shipping, advanced compression algorithm and much more. For more details check out Red-Gate's fact sheet for the release of version 6.0.

by Johnm

Comments

 

Brent Ozar said:

Great article!  One addition - Quest LiteSpeed supports a ton of encryption levels.  The readme just cites that one method because it's new, but LiteSpeed supports RC2 (40, 56, 112, 128 bit), 3DES 168-bit, RC4 (128-bit), AES (128, 192, 256-bit).
July 3, 2009 9:11 AM
 

Johnm said:

To all readers: Red-Gate has notified me that the new version of SQL Backup, which is the version 6.0 that I referenced in the above blog, was released on July 9, 2009.
July 9, 2009 8:32 AM
 

javen said:

Another product not mentioned which allows you to encrypt database backups with AES-128, 192 and 256 bit encryption is HyperBac, developed by several of the founding developers of LiteSpeed.  Uses file system filter technology which means that you can use native SQL command syntax as opposed to extended stored procs.  Also uses certificate/file based encryption as opposed to secret key/password based encryption, which is different to the others mentioned.  Cost $799 per server.
July 10, 2009 3:27 PM
You need to sign in to comment on this blog

About Johnm

John Magnabosco manages the Data Services Group at one of the fastest growing companies in the United States. He is also the current President and Co-Founder of the Indianapolis Professional Association for SQL Server (IndyPASS), the Speaker Coordinator and Co-Founder of IndyTechFest and the author of the book titled "Protecting SQL Server Data". John is a Microsoft MVP for SQL Server.
  Opinion Home

  Opinion Pieces (155 articles)

  Geek of the Week (63 articles)

  Tony Davis - Editor (5 articles)

  Phil Factor (52 articles)

  Damon Armstrong (10 articles)

  Douglas Reilly (40 articles)

  Adrian Furnham (1 articles)

  Claire Brooking (1 articles)

  Richard Morris (66 articles)

  Tim Gorman (1 articles)

  Jesse Liberty (5 articles)

  Sarah Blow (1 articles)

  Anna Larjomaa (1 articles)

  Gaidar Magdanurov (2 articles)

  Regular Columnists (1 articles)

  Ben Hall (5 articles)

  Larry Gonick (44 articles)

  Blogs Home
<July 2009>
SuMoTuWeThFrSa
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678
Finding Stuff in SQL Server Database DDL
 You'd have thought that nothing would be easier than using SQL Server Management Studio (SSMS) for... Read more...

Mission Critical: SQL Server 2008 Performance Tuning Task List
 In which Buck Woody imagines how the US military would have tackled DBA checklists for... Read more...

Simple Query tuning with STATISTICS IO and Execution plans
 A great deal can be gleaned from the use of the STATISTICS IO and the execution plan, when you are... Read more...

Switching rows and columns in SQL
 When they use SQL Server, one the commoner questions that Ms Access programmers ask is 'Where's the... Read more...

Writing Efficient SQL: Set-Based Speed Phreakery
 Phil Factor's SQL Speed Phreak challenge is an event where coders battle to produce the fastest code to... Read more...