连接不同地理区域的数据库的最佳实践

Question

RateControl

Asked: 2011-04-07 12:05:04 +0800 CST2011-04-07 12:05:04 +0800 CST 2011-04-07 12:05:04 +0800 CST

使用 TDE 进行数据库镜像

772

我需要镜像一些数据库并在它们上使用透明数据加密(TDE)，因为我们的数据必须在“静止”时加密。

我在主体和镜像上都设置了 TDE。当我设置两个数据库的镜像时，我遇到的问题就出现了。由于我使用的是 TDE，我不知道通过 gui 设置镜像的方法，所以我不得不使用 t-sql 来完成工作。

下面是我在镜像服务器上使用的代码

--Restore the full backup to the mirrored mdf and ldf
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
RESTORE DATABASE TDE
   FROM disk = '\\SERVERNAME\SQL_Stuff\Backup\TDE_FULL.bak'
      WITH NORECOVERY,
       REPLACE,
       MOVE 'TDE' TO 'E:\TDE.mdf',
      REPLACE,
      MOVE 'TDE_log' TO 'G:\TDE.ldf'
CLOSE MASTER KEY 
GO

--Restore the log backup to the mirrored db
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
RESTORE LOG TDE
    FROM DISK = '\\SERVERNAME\SQL_Stuff\Backup\TDE_LOG.trn'
    WITH NORECOVERY;
CLOSE MASTER KEY
GO


--Drop/Create Mirroring endpoint on mirror
--DROP ENDPOINT TDE
CREATE ENDPOINT TDE
    STATE = STARTED
    AS TCP ( LISTENER_PORT = 7025 )
    FOR DATABASE_MIRRORING (
        ROLE = PARTNER
        );
GO

--Check the endpoints for the mirror
USE MASTER
SELECT * FROM sys.database_mirroring_endpoints
GO

--Set the principal on the mirrored db
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
ALTER DATABASE TDE SET PARTNER = 'TCP://PRINCIPAL.DOMAIN.local:7022'
GO
CLOSE MASTER KEY
GO

下面是我在主体服务器上使用的代码。

----------------------Mirroring Section----------------------------------

--Full Backup of Principal
USE TDE
GO
BACKUP DATABASE TDE
TO DISK = '\\SERVERNAME\SQL_Stuff\Backup\TDE_FULL.bak'
    WITH COMPRESSION,
         NAME = 'Full Backup of TDE';
GO

---Log Backup of Principal
USE TDE
GO
BACKUP LOG TDE
TO DISK = '\\SERVERNAME\SQL_Stuff\Backup\TDE_LOG.trn'
    WITH COMPRESSION,
         NAME = 'Log backup of TDE'
GO

--Drop/Create Mirroring endpoint on principal
--DROP ENDPOINT TDE
CREATE ENDPOINT TDE
    STATE = STARTED
    AS TCP ( LISTENER_PORT = 7022 )
    FOR DATABASE_MIRRORING (
        ROLE = PARTNER
        );
GO

--Check the endpoints for the princple
USE master
select * from sys.database_mirroring_endpoints
GO

--Set the mirror db on the principal db
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
ALTER DATABASE TDE SET PARTNER = 'TCP://MIRROR.DOMAIN.local:7025'
CLOSE MASTER KEY
GO

我首先设置了镜像端点，然后是主体端点。然后我在镜像上发出ALTER DATABASE，然后在主体上发出，我得到错误：

 Msg 1416, Level 16, State 31, Line 2
Database "TDE" is not configured for database mirroring.

我不知道该怎么办。镜像处于“正在恢复”状态，但我确定该错误与主体数据库有关。

谢谢你提供的所有帮助！

主要 TDE 的更新 代码：

--Create Master Key in Master Database
USE MASTER
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '1Password';
PRINT 'created master key'
go

--Backing up the master key file
USE master;
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password';
BACKUP MASTER KEY TO FILE = '\\SERVERNAME\TDE_Master_Key.key' ENCRYPTION BY PASSWORD = '1Password';
GO

--Create Server Certificate in the Master Database encrypted with master key (created above) which would be used to create USER database encryption key.
USE Master
CREATE CERTIFICATE Cert_For_TDE WITH SUBJECT = 'Master_Cert_for_TDE', EXPIRY_DATE = '3500-Jan-01';
Go

--Backing up the server cert file
--USE master;
BACKUP CERTIFICATE Cert_For_TDE TO FILE = '\\SERVERNAME\TDE_Cert.cer' 
    WITH PRIVATE KEY ( FILE = '\\SERVERNAME\TDE_Cert_Key.key', ENCRYPTION BY PASSWORD = '1Password');
GO

--Create user database key
USE TDE
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE Cert_For_TDE;
GO

--Enabling Transparent Database Encryption for the USER Database
USE master;
GO
ALTER DATABASE TDE SET ENCRYPTION ON
GO

TDE镜像代码：

--restore the backed up key to the mirror
use master
RESTORE MASTER KEY
    FROM FILE = '\\SERVERNAME\TDE_Master_Key.key'
    DECRYPTION BY PASSWORD = '1Password'
    ENCRYPTION BY PASSWORD = '1Password';
GO

--restore the backed up cert to the mirror
USE Master;
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
CREATE CERTIFICATE Cert_For_TDE    
FROM FILE = '\\SERVERNAME\TDE_Cert.cer' WITH PRIVATE KEY ( FILE = '\\SERVERNAME\TDE_Cert_Key.key', DECRYPTION BY PASSWORD = '1Password');
GO

Update2 sys.database_mirroring_endpoints 与 sys.tcp_endpoints 在 Principal show 中加入：

endpoint_id name    principal_id    state_desc  role_desc   connection_auth_desc    certificate_id  encryption_algorithm_desc   port    ip_address
65545   TDE 261 STARTED PARTNER NEGOTIATE   0   RC4 7022    NULL

sys.database_mirroring_endpoints 与 sys.tcp_endpoints 在镜像显示中加入：

endpoint_id name    principal_id    state_desc  role_desc   connection_auth_desc    certificate_id  encryption_algorithm_desc   port    ip_address
65537   TDE 261 STARTED PARTNER NEGOTIATE   0   RC4 7025    NULL

1 个回答

Voted

RateControl · Answer 1 · 2011-04-08T12:54:58+08:00

Best Answer

RateControl

2011-04-08T12:54:58+08:002011-04-08T12:54:58+08:00

找到一个有评论的网站。

我将代码添加到恢复密钥和证书之后

--Mumbojumbo to get mirroring to work
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
GO

它就像一个魅力，我不得不用新服务器的服务主密钥加密我恢复的主密钥，这有点道理。我猜。

耸耸肩

11

使用 TDE 进行数据库镜像

你如何mysqldump特定的表？

您如何显示在 Oracle 数据库上执行的 SQL？

如何选择每组的第一行？

使用 psql 列出数据库权限

我可以查看在 SQL Server 数据库上运行的历史查询吗？

如何在 PostgreSQL 中使用 currval() 来获取最后插入的 id？

如何在 Mac OS X 上运行 psql？

如何从 PostgreSQL 中的选择查询中将值插入表中？

如何使用 psql 列出所有数据库和表？

将数组参数传递给存储过程

使用 TDE 进行数据库镜像

1 个回答

相关问题