我需要镜像一些数据库并在它们上使用透明数据加密(TDE),因为我们的数据必须在“静止”时加密。
我在主体和镜像上都设置了 TDE。当我设置两个数据库的镜像时,我遇到的问题就出现了。由于我使用的是 TDE,我不知道通过 gui 设置镜像的方法,所以我不得不使用 t-sql 来完成工作。
下面是我在镜像服务器上使用的代码
--Restore the full backup to the mirrored mdf and ldf
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
RESTORE DATABASE TDE
FROM disk = '\\SERVERNAME\SQL_Stuff\Backup\TDE_FULL.bak'
WITH NORECOVERY,
REPLACE,
MOVE 'TDE' TO 'E:\TDE.mdf',
REPLACE,
MOVE 'TDE_log' TO 'G:\TDE.ldf'
CLOSE MASTER KEY
GO
--Restore the log backup to the mirrored db
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
RESTORE LOG TDE
FROM DISK = '\\SERVERNAME\SQL_Stuff\Backup\TDE_LOG.trn'
WITH NORECOVERY;
CLOSE MASTER KEY
GO
--Drop/Create Mirroring endpoint on mirror
--DROP ENDPOINT TDE
CREATE ENDPOINT TDE
STATE = STARTED
AS TCP ( LISTENER_PORT = 7025 )
FOR DATABASE_MIRRORING (
ROLE = PARTNER
);
GO
--Check the endpoints for the mirror
USE MASTER
SELECT * FROM sys.database_mirroring_endpoints
GO
--Set the principal on the mirrored db
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
ALTER DATABASE TDE SET PARTNER = 'TCP://PRINCIPAL.DOMAIN.local:7022'
GO
CLOSE MASTER KEY
GO
下面是我在主体服务器上使用的代码。
----------------------Mirroring Section----------------------------------
--Full Backup of Principal
USE TDE
GO
BACKUP DATABASE TDE
TO DISK = '\\SERVERNAME\SQL_Stuff\Backup\TDE_FULL.bak'
WITH COMPRESSION,
NAME = 'Full Backup of TDE';
GO
---Log Backup of Principal
USE TDE
GO
BACKUP LOG TDE
TO DISK = '\\SERVERNAME\SQL_Stuff\Backup\TDE_LOG.trn'
WITH COMPRESSION,
NAME = 'Log backup of TDE'
GO
--Drop/Create Mirroring endpoint on principal
--DROP ENDPOINT TDE
CREATE ENDPOINT TDE
STATE = STARTED
AS TCP ( LISTENER_PORT = 7022 )
FOR DATABASE_MIRRORING (
ROLE = PARTNER
);
GO
--Check the endpoints for the princple
USE master
select * from sys.database_mirroring_endpoints
GO
--Set the mirror db on the principal db
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
ALTER DATABASE TDE SET PARTNER = 'TCP://MIRROR.DOMAIN.local:7025'
CLOSE MASTER KEY
GO
我首先设置了镜像端点,然后是主体端点。然后我在镜像上发出ALTER DATABASE
,然后在主体上发出,我得到错误:
Msg 1416, Level 16, State 31, Line 2
Database "TDE" is not configured for database mirroring.
我不知道该怎么办。镜像处于“正在恢复”状态,但我确定该错误与主体数据库有关。
谢谢你提供的所有帮助!
主要 TDE 的更新 代码:
--Create Master Key in Master Database
USE MASTER
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '1Password';
PRINT 'created master key'
go
--Backing up the master key file
USE master;
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password';
BACKUP MASTER KEY TO FILE = '\\SERVERNAME\TDE_Master_Key.key' ENCRYPTION BY PASSWORD = '1Password';
GO
--Create Server Certificate in the Master Database encrypted with master key (created above) which would be used to create USER database encryption key.
USE Master
CREATE CERTIFICATE Cert_For_TDE WITH SUBJECT = 'Master_Cert_for_TDE', EXPIRY_DATE = '3500-Jan-01';
Go
--Backing up the server cert file
--USE master;
BACKUP CERTIFICATE Cert_For_TDE TO FILE = '\\SERVERNAME\TDE_Cert.cer'
WITH PRIVATE KEY ( FILE = '\\SERVERNAME\TDE_Cert_Key.key', ENCRYPTION BY PASSWORD = '1Password');
GO
--Create user database key
USE TDE
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE Cert_For_TDE;
GO
--Enabling Transparent Database Encryption for the USER Database
USE master;
GO
ALTER DATABASE TDE SET ENCRYPTION ON
GO
TDE镜像代码:
--restore the backed up key to the mirror
use master
RESTORE MASTER KEY
FROM FILE = '\\SERVERNAME\TDE_Master_Key.key'
DECRYPTION BY PASSWORD = '1Password'
ENCRYPTION BY PASSWORD = '1Password';
GO
--restore the backed up cert to the mirror
USE Master;
OPEN MASTER KEY DECRYPTION BY PASSWORD = '1Password'
CREATE CERTIFICATE Cert_For_TDE
FROM FILE = '\\SERVERNAME\TDE_Cert.cer' WITH PRIVATE KEY ( FILE = '\\SERVERNAME\TDE_Cert_Key.key', DECRYPTION BY PASSWORD = '1Password');
GO
Update2 sys.database_mirroring_endpoints 与 sys.tcp_endpoints 在 Principal show 中加入:
endpoint_id name principal_id state_desc role_desc connection_auth_desc certificate_id encryption_algorithm_desc port ip_address
65545 TDE 261 STARTED PARTNER NEGOTIATE 0 RC4 7022 NULL
sys.database_mirroring_endpoints 与 sys.tcp_endpoints 在镜像显示中加入:
endpoint_id name principal_id state_desc role_desc connection_auth_desc certificate_id encryption_algorithm_desc port ip_address
65537 TDE 261 STARTED PARTNER NEGOTIATE 0 RC4 7025 NULL
找到一个有评论的网站。
我将代码添加到恢复密钥和证书之后
它就像一个魅力,我不得不用新服务器的服务主密钥加密我恢复的主密钥,这有点道理。我猜。
耸耸肩