SQL 2008 brings in security feature which designed to protect back up data, unauthorized access during the restoration

in different servers.TDE applies on physical files like .MDF - Database files .LDF - Log files .BAK - Backup files

Architecture of TDE

The Encryption and Decryption Process Note: Open SQL Server Management Studio in an Administrator Mode. Back up before Proceeding It is a general best practice to backup a database prior to making modifications. However, it is especially important when implementing TDE, in order to ensure that, should the TDE implementation need to be reversed, you can cleanly recover the database in its original form.

With the backup successfully completed, we can begin the process of implementing TDE. Step 1: Service Master Key This key is created at the time of SQL setup i.e. when SQL server is installed. To check whether the service key is installed or not execute the below mentioned query.
SELECT * FROM sys.symmetric_keys Output

This key is used internally to encrypt the Database Master Key.

Step 2: Database Master Key Creation

Before creating master key, first check if there already exists any master key. Now run the below command to check for the same.
SELECT * FROM sys.symmetric_keys

If the output is same as shown above means there is no master key available but only service master key available.
Now use the below mentioned command to create a new Master Key. Service Master Key encrypts the Database Master Key for the master database.

Step 3 : Creating a Certificate

Database Master Key of the master database creates the certificate in the master database. You can also view existing certificates in a MS SQL Server database by running a select query over sys.certificates view.
SELECT * FROM sys.certificates

Use the below query to create a new certificate named MasterCert

Step 4:

Back up the Certificate just Created At this point in the process you should perform a backup of the certificate with its private key, using the BACKUP CERTIFICATE command shown below. In the event that the Tanveer_DataBaseName database needs to be restored, this certificate and its private key will be required.

Step 5: Create Database Encryption Key The database encryption key is created using the CREATE DATABASE ENCRYPTION KEY command. The arguments to this method include: WITH ALGORITHM: Specifies the algorithm used, which in turn dictates the strength of the key. ENCRYPTION BY: Defines the protection method of the key. The key used in the ENCRYPTION BY argument can be a certificate or an asymmetric key that is located in the Master database.

The AES_128 option specifies Advanced Encryption Standard (AES) with a 128 bit key length, and we protect the database encryption key with the MasterCert certificate that was created in the Master database. Microsoft SQL Server can use the following algorithms in encryption sensitive data. Step 6 : Enable TDE The final step in the setup process of TDE is to enable it. This is accomplished by executing the ALTER DATABASE command with the SET ENCRYPTION ON argument. Use the below command to Set the Encryption on. DES Triple_DES RC2 RC4 RC4_128 Desx AES_128 AES_192 AES_256

Note: All these algorithms are Operating System Specific.

At this point, an encryption scan occurs, which is the process by which the physical files of the database are scanned and encrypted. Included in this scan process are the database files, TempDB database files and transaction log files. The duration of the encryption scan will vary depending upon the size of the database files. Once the process has completed, the encryption_state column in the sys.dm_database_encryption_keys dynamic management view will reflect the encryption state of "encrypted", and will show the value of "3" in this column, for our Tanveer_DataBaseName database.

Step 6: Verifying TDE Once the implementation of TDE is complete there are a few ways you can verify that these steps indeed succeeded. Using Dm_Database_Encryption_Keys

The sys.dm_database_encryption_keys DMV presents information about the database encryption keys used in a given database, as well as the encryption state of the database. We are able to determine the success of the TDE implementation as below.

A return value of "1" for the is_encrypted column of the sys.databases catalog view indicates that the database has been encrypted through TDE. A value of "3" for encryption_state column indicates that the encryption process is complete. A value of "2" in this column indicates that the encryption process is in progress.

The percent_complete column from the same DMV indicates the progress of the encryption process. This column only reflects a value other than "0" when the database encryption state is in the process of changing (being encrypted or decrypted).

Step 7 : One final test in regard to the backup file is to attempt to restore the post-TDE backup file onto A different instance than the one in which the Tanveer_DatabaseName database resides, using the RECOVER DATABASE command, as shown below

This attempt will return an error message that states that the certificate at the Master database level, in which the Tanveer_DataBaseName database encryption key is protected, does not exist; therefore the attempt will fail.

Solution : Step 1 : Create a new master key in that new Sql Server instance.
CREATE MASTER KEY ENCRYPTION BY PASSWORD='W0rkspac3#2012'

Step 2: Restore the certificate from the backup taken earlier.

CREATE CERTIFICATE MastCert FROM FILE = C:\MS_SQL\DBBackup\MasterCert.bak WITH PRIVATE KEY (FILE=C:\MS_SQL\DBBackup\MasterCert.pvk, DECRYPTION BY PASSWORD='w0rkspac3#2012')

Step 3: Run the restore database query. Database will be restored successfully.

How Data is encrypted??

When TDE is enabled (or disabled), the database is marked as encrypted in the sys.databases catalog view. The server starts a background thread (called the encryption scan or scan) that scans all database files and encrypts them (or decrypts them if you are disabling TDE). When the encryption scan is completed, the DEK state is set to the Encrypted state. At this point all database files on disk are encrypted and database and log file writes to disk will be encrypted.

What is encrypted??
TDE operates at the I/O level through the buffer pool. Thus, any data that is written into the database file (*.mdf) is encrypted. Snapshots and backups are also designed to take advantage of the encryption provided by TDE so these are encrypted on disk as well. Data that is in use, however, is not encrypted because TDE does not provide protection at the memory or transit level. For data that is in use, all pages are decrypted as they are read and stored into the buffer pool and are in clear text in memory. In this process, decrypted data may be written to disk. Also Tempdb and Transaction log files are encrypted.

Impact on the database

TDE is designed to be as transparent as possible. No application changes are required and the user experience is the same whether using a TDE-encrypted database or a nonencrypted database. The performance impact of TDE is minor. In tests using sample data and TPC-C runs, the overall performance impact was estimated to be around 3-5% and can be much lower if most of the data accessed is stored in memory. Encryption is CPU intensive and is performed at I/O. Therefore, servers with low I/O and a low CPU load will have the least performance impact