I am looking into implementing Transparent Data Encryption (TDE) on a SQL Azure database. Azure creates backups as .bacpac files. The documentation at TDE mentions that
"Backup files of databases that have TDE enabled are also encrypted by using the database encryption key. "
The documentation does not mention anything about .bak or .bacpac files specifically. Does anyone have experience, and more importantly, official documentation, that TDE will encrypt .bacpac files?
Any pointers and suggestions would be greatly appreciated.
UPDATE:
I was able to find official documentation here TDE Azure . At the bottom of the page it says that .bapacpac files are not ecrypted.
I feel like this is a huge drawback to TDE on SQL Azure, as I really like the feature that prevents .bak files from being restored on another server without the certificate/key used in the TDE.
.bak and .bacpac files are very different. .bak files are copies of the database file pages. .bacpac files are created by scripting out the TSQL statements to recreate the schema of a database and using Bulk Export to query and export the rows of all the tables. See https://msdn.microsoft.com/en-us/library/hh213241.aspx list item #2 under "Before You Begin" to see that .bacpac file data is extracted using bulk operations.
TDE works by encrypting the database file pages, but leaving the in memory version of the files in plaintext so they can be queried. Since .bak files are copies of the database file pages, they are encrypted. Since the data in .bacpac files are the output queries, they are plaintext and unencrypted just as bcp out files are from TDE databases.
Related
I have a database in the SQL Server installed on Azure VM. DB Size is 2 GB.
How and what is the best approach to move all data into Azure SQL PAAS Service?
While the method posted by #Harris Xu is absolutely correct, I am adding the issues which I faced when I migrated my 500+ GB SQL Server DB from Azure VM to PaaS using .bacpac method.
Azure SQL DB is in a away limited when compared to On-prim SQL Server or SQL Server on VM's.
You will not face these issues while creating the .bacpac file but when you try to import, it might give some of the following compatibility issues.
Master Keys , Symmetric Keys, Service Queues and certificates cannot
be migrated to cloud. Drop them before preparing bacpac.
Drop orphaned Users.
If you are using XP_CMDSHELL, Trace Flags, DBCC commands or column store indexes, you got to remove them too.
Cross DB Queries are not allowed on Azure SQL DB. Remove all occurrences of ..
If you are calling an API from your stored proc then that too is not possible in Azure SQL DB. As a workaround you can use Logic Apps on Azure.
Moreover, Microsoft Migration assistant can help you find compatibility issues before hand too. You can download it here.
NOTE : This no way the full list of issues, I faced them because I was using all above features, if you are not using them you will not face them.
SQL Migration using data-tier application export/import (BACPAC)
The BACPAC file encapsulates the database schema as well as the data stored in a database application that can be simple imported to an Azure SQL Database.
Workloads using the source database need to be taken offline during the export process to ensure that the exported BACPAC file contains all data in a complete and consistent state.
Export to bacpac file in SQL Server Management Studio (SSMS)
You can follow this post.
Open and connect database file in SQL Server Management Studio (SSMS).
To export a database file, right click on the name of the database. In the context menu, select Tasks > Export Data-tier Application.
The option will open the wizard. Click Next> Introduction page and go to the Export Settings.
Import a bacpac file to Azure SQL
After you connect to your Azure sql, go to Object Explorer pane, right click the database, and select Import Data-tier.
The option will open the wizard. Click Next> Introduction page and go to the Import Settings.
The Import settings are requested to the bacpac file to import.
I have a .db file, with a bunch of tables and data (and a few one to many relationships), instead of rewriting everything, is there a way for me to just upload this database directly to Azure SQL?
My suggestion is to install SQL Server Developer Edition on your laptop or local computer and import those database files to that SQL instance as explained here, if they are Dbase files.
Once you have imported the .dbf files to the local SQL Server instance, use SQL Server Management Studio to deploy the database to Azure as shown here and here, or you can use Data Migration Assistant to migrate to Azure as explained here.
I have a database SQL server ,so I have 2 files (mdf and log).
how to protect mdf file from attach
SQL Server Transparent Data Encryption can prevent people from using the files elsewhere unless they have the appropriate certificates.
But if they've gained access to the server to the point where they can access those files directly, you have to consider the possibility that it's completely compromised.
I have a feature in visual studio which I have never really understood.
I am able to 'right-click' on the App_Data folder and then I am able to select 'Sql Server Database'. I dont really understand how I can create a db using just an mdf file? I thought the sql service was responsible for manipulating these files? And that you have to create the db using the 'sql management studio' interface?
Im confised as to how we can essentially just have a lone file and run a db from it for a website?
You're application is still connecting through the SQL Server service but it can instruct the service to attach to a specific mdf file at runtime through a connection string. e.g.:
"Server=.\SQLExpress;AttachDbFilename=c:\mydbfile.mdf;Database=dbname; Trusted_Connection=Yes;"
All SQL Server databases are represented as one (or more) .mdf files and usually .ldf files as well (ldf is the log file, mdf is the data file.) An .mdf file is a file but it is highly structured and maintained by SQL Server. The way SQL Server uses this file is very different from serving up CSV data, as a simple example. SQL Server breaks the file into pages and serves the requests for reads and writes via this paging system. It is indeed like a file system within a file system. If you think about it it does all make sense. The data has to get persisted to disk and that disk persistence has to come in the form of a file or files.
When you installed Visual Studio you also installed SQL Server Express. This gives you the ability to create and use SQL Server databases.
If you were to deploy your application you would then also need to have a SQL Server (Express) install on the web-server you were using (at least because you don't want to use your development database server in production).
Asking this question for a friend of mine.
My client had send me a Back up file of a database in SQL Server 2008.
I installed SQL Server 2008 Express Edition.
Then i tried to Restore the given Back file with this but unfortunately its throwing an error
"The media family on device is incorrectly formed . SQL Server can not process this media family.RESTORE HEADER ONLY is terminating abnormally .(Microsoft SQL Server, Error 3241)"
I searched for this error and evry where they says may be the back up might be corrupted.
But my client is able to restore the same at their end.
Any idea?
Have you applied the latest service packs to your copy of SQL Server 2008? Try that, and then do a RESTORE HEADERONLY command in Sql Enterprise manager. That will give you the properties of the file you're trying to backup. Is your client using Express Edition as well?
It is possible that the backup file became corrupt during transit.
I would suggest that the client either:
re-send the database backup file
or create another one.
It may also be pertinent to suggest to the client that when creating the Database Backup they use the CHECKSUM option to validate the contents of the backup file that is produced.
CHECKSUM
Enables backup checksums, so that BACKUP can do the following:
Prior to writing a page to the
backup media, BACKUP verifies the
page (page checksum or torn page),
if this information is present on
the page.
Regardless of whether page checksums
are present, BACKUP generates a
separate backup checksum for the
backup streams. Restore operations
can optionally use the backup
checksum to validate that the backup
is not corrupted. The backup
checksum is stored on the backup
media, not on the database pages.
The backup checksum can optionally
be used at restore time.
References
SQL Server Books Online - Backup Database