sync

2024-01-31 14:50:39 +01:00
parent 0548c775b3
commit bb404b6ce6
7 changed files with 370 additions and 9 deletions
--- a/keys.sql
+++ b/keys.sql
@@ -0,0 +1,256 @@
+/* TDE ACTIVATION */
+USE [master];
+GO
+ 
+DECLARE @oldlogin  VARCHAR(255),
+        @keyname   VARCHAR(255) = 'TDE_20241101',
+        @AZkeyname VARCHAR(255) = 'SQLTDE';
+ 
+SELECT      @oldlogin = sp.name
+  FROM      sys.server_principal_credentials pc
+INNER JOIN sys.credentials c
+    ON pc.credential_id = c.credential_id
+  JOIN      sys.server_principals sp
+    ON sp.principal_id  = pc.principal_id
+WHERE      c.name = 'sysadmin_ekm_cred';
+ 
+IF (@oldlogin IS NOT NULL) EXEC ('ALTER LOGIN ' + @oldlogin + ' DROP CREDENTIAL [sysadmin_ekm_cred];');
+ 
+ALTER LOGIN [sysadmin_ekm] ADD CREDENTIAL [sysadmin_ekm_cred];
+ 
+EXEC ('IF NOT EXISTS(SELECT 1 FROM sys.asymmetric_keys WHERE name = ''' + @keyname + ''') CREATE ASYMMETRIC KEY [' + @keyname + ']
+FROM PROVIDER [AzureKeyVault_EKM_Prov]
+WITH PROVIDER_KEY_NAME = ''' + @AZkeyname + ''', CREATION_DISPOSITION = OPEN_EXISTING;');
+ 
+ALTER LOGIN [sysadmin_ekm] DROP CREDENTIAL [sysadmin_ekm_cred];
+ 
+EXEC ('IF NOT EXISTS (SELECT 1 FROM sys.syslogins where name = ''' + @keyname + ''')CREATE LOGIN [' + @keyname + '] FROM ASYMMETRIC KEY [' + @keyname + '];');
+ 
+EXEC ('ALTER LOGIN [' + @keyname + '] ADD CREDENTIAL [sysadmin_ekm_cred];');
+ 
+DECLARE @sqlCommand VARCHAR(MAX);
+ 
+SET @sqlCommand
+    = 'USE ? IF NOT EXISTS (SELECT 1 FROM sys.dm_database_encryption_keys AS e
+  LEFT JOIN master.sys.asymmetric_keys AS c
+    ON e.encryptor_thumbprint = c.thumbprint
+WHERE DB_NAME(e.database_id) = DB_NAME() AND c.name like ''TDE%'')  IF DB_ID(''?'') > 4 
+BEGIN
+CREATE DATABASE ENCRYPTION KEY
+WITH ALGORITHM = AES_256
+ENCRYPTION BY SERVER ASYMMETRIC KEY [' + @keyname + '];
+ALTER DATABASE ? SET ENCRYPTION ON
+END;';
+ 
+EXEC master..sp_MSforeachdb @sqlCommand;
+ 
+ 
+ 
+ 
+ 
+BACKUP DATABASE [TestTDE]
+TO  DISK = N'D:\SQLDatabaseDump\TDE_20241101.bak'
+WITH COPY_ONLY,
+     NOFORMAT,
+     INIT,
+     NAME = N'TestTDE-Full Database Backup',
+     SKIP,
+     NOREWIND,
+     NOUNLOAD,
+     COMPRESSION,
+     STATS = 10;
+GO
+ 
+ 
+ 
+/* ROTATE */
+ 
+/* CREATE NEW KEY IN AZURE BY POWERSHELL */
+USE [master];
+GO
+ 
+DECLARE @oldlogin  VARCHAR(255),
+        @keyname   VARCHAR(255) = 'TDE_20241201',
+        @AZkeyname VARCHAR(255) = 'SQLTDE';
+ 
+SELECT      @oldlogin = sp.name
+  FROM      sys.server_principal_credentials pc
+INNER JOIN sys.credentials c
+    ON pc.credential_id = c.credential_id
+  JOIN      sys.server_principals sp
+    ON sp.principal_id  = pc.principal_id
+WHERE      c.name = 'sysadmin_ekm_cred';
+ 
+EXEC ('ALTER LOGIN ' + @oldlogin + ' DROP CREDENTIAL [sysadmin_ekm_cred];');
+ 
+ALTER LOGIN [sysadmin_ekm] ADD CREDENTIAL [sysadmin_ekm_cred];
+ 
+EXEC ('CREATE ASYMMETRIC KEY [' + @keyname + ']
+FROM PROVIDER [AzureKeyVault_EKM_Prov]
+WITH PROVIDER_KEY_NAME = ''' + @AZkeyname + ''', CREATION_DISPOSITION = OPEN_EXISTING;');
+ 
+ALTER LOGIN [sysadmin_ekm] DROP CREDENTIAL [sysadmin_ekm_cred];
+ 
+EXEC ('CREATE LOGIN [' + @keyname + '] FROM ASYMMETRIC KEY [' + @keyname + '];');
+ 
+EXEC ('ALTER LOGIN [' + @keyname + '] ADD CREDENTIAL [sysadmin_ekm_cred];');
+ 
+DECLARE @sqlCommand VARCHAR(MAX);
+ 
+SET @sqlCommand
+    = 'USE ? IF EXISTS (SELECT 1 FROM sys.dm_database_encryption_keys AS e
+  LEFT JOIN master.sys.asymmetric_keys AS c
+    ON e.encryptor_thumbprint = c.thumbprint
+WHERE DB_NAME(e.database_id) = DB_NAME() AND c.name like ''TDE%'') ALTER DATABASE ENCRYPTION KEY
+ENCRYPTION BY SERVER ASYMMETRIC KEY [' + @keyname + '];';
+ 
+EXEC master..sp_MSforeachdb @sqlCommand;
+ 
+EXEC ('DROP LOGIN ' + @oldlogin + ';');
+EXEC ('DROP ASYMMETRIC KEY [' + @oldlogin + '];');
+ 
+ 
+ 
+ 
+ 
+/* RESTORE OLD BACKUP */
+USE [master];
+GO
+ 
+ 
+DECLARE @oldlogin         VARCHAR(255),
+        @keynametorestore VARCHAR(255) = 'TDE_20241101',
+		@keyname          VARCHAR(255) = 'TDE_20241201',
+        @db               VARCHAR(255) = 'TestTDE2',
+        @AZkeyname        VARCHAR(255) = 'SQLTDE/f514174481184130aef24e8999dd14c4';
+ 
+SELECT      @oldlogin = sp.name
+  FROM      sys.server_principal_credentials pc
+INNER JOIN sys.credentials c
+    ON pc.credential_id = c.credential_id
+  JOIN      sys.server_principals sp
+    ON sp.principal_id  = pc.principal_id
+WHERE      c.name = 'sysadmin_ekm_cred';
+ 
+EXEC ('ALTER LOGIN ' + @oldlogin + ' DROP CREDENTIAL [sysadmin_ekm_cred];');
+ 
+ALTER LOGIN [sysadmin_ekm] ADD CREDENTIAL [sysadmin_ekm_cred];
+ 
+EXEC ('CREATE ASYMMETRIC KEY [' + @keynametorestore + ']
+FROM PROVIDER [AzureKeyVault_EKM_Prov]
+WITH PROVIDER_KEY_NAME = ''' + @AZkeyname + ''', CREATION_DISPOSITION = OPEN_EXISTING;');
+ 
+ 
+EXEC ('CREATE LOGIN [' + @keynametorestore + '] FROM ASYMMETRIC KEY [' + @keynametorestore + '];');
+ 
+EXEC ('ALTER LOGIN [sysadmin_ekm] DROP CREDENTIAL [sysadmin_ekm_cred];');
+ 
+EXEC ('ALTER LOGIN [' + @keynametorestore + '] ADD CREDENTIAL [sysadmin_ekm_cred];');
+ 
+ 
+RESTORE DATABASE [TestTDE2]
+FROM DISK = N'D:\SQLDatabaseDump\TDE_20241101.bak'
+WITH FILE = 1,
+     MOVE N'AdventureWorks2022'
+     TO N'F:\SQLDatabase\TestTDE2.mdf',
+     MOVE N'AdventureWorks2022_log'
+     TO N'G:\SQLDatabase\TestTDE2_log.ldf',
+     NOUNLOAD,
+     REPLACE,
+     STATS = 5;
+ 
+ 
+EXEC ('ALTER LOGIN [' + @keynametorestore + '] DROP CREDENTIAL [sysadmin_ekm_cred];');
+ 
+EXEC ('ALTER LOGIN [' + @keyname + '] ADD CREDENTIAL [sysadmin_ekm_cred];');
+ 
+EXEC('USE ['+ @db +'];ALTER DATABASE ENCRYPTION KEY
+ENCRYPTION BY SERVER ASYMMETRIC KEY [' + @keyname + '];')
+ 
+ 
+USE [master];
+ 
+EXEC('DROP LOGIN [' + @keynametorestore + '];')
+EXEC('DROP ASYMMETRIC KEY [' + @keynametorestore + '];')
+GO
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+/* VALIDATE */
+SELECT      DB_NAME(e.database_id) AS DatabaseName,
+            e.database_id,
+            e.encryption_state,
+            CASE e.encryption_state
+                 WHEN 0 THEN 'No database encryption key present, no encryption'
+                 WHEN 1 THEN 'Unencrypted'
+                 WHEN 2 THEN 'Encryption in progress'
+                 WHEN 3 THEN 'Encrypted'
+                 WHEN 4 THEN 'Key change in progress'
+                 WHEN 5 THEN 'Decryption in progress' END AS encryption_state_desc,
+            c.name,
+            e.percent_complete,
+            e.create_date,
+            e.regenerate_date,
+            e.modify_date,
+            e.set_date,
+            e.opened_date,
+            e.key_algorithm,
+            e.key_length,
+            e.encryptor_thumbprint,
+            e.encryptor_type,
+            c.principal_id,
+            c.asymmetric_key_id,
+            c.pvt_key_encryption_type,
+            c.pvt_key_encryption_type_desc,
+            c.thumbprint,
+            c.algorithm,
+            c.algorithm_desc,
+            c.key_length,
+            c.sid,
+            c.string_sid,
+            c.public_key,
+            c.attested_by,
+            c.provider_type,
+            c.cryptographic_provider_guid,
+            c.cryptographic_provider_algid
+  FROM      sys.dm_database_encryption_keys AS e
+  LEFT JOIN master.sys.asymmetric_keys AS c
+    ON e.encryptor_thumbprint = c.thumbprint
+WHERE      c.name <> 'tempdb';
+ 
+ 
+ 
+ 
+/* DROP */
+USE [master];
+GO
+ 
+ALTER DATABASE [TestTDE] SET ENCRYPTION OFF;
+GO
+ 
+/* WAIT */
+ 
+USE [TestTDE];
+GO
+ 
+DROP DATABASE ENCRYPTION KEY;
+GO
+ 
+USE [master];
+GO
+ 
+ALTER LOGIN [TDE_20240601] DROP CREDENTIAL [sysadmin_ekm_cred];
+GO
+ 
+DROP LOGIN [TDE_20240601];
+GO
+ 
+DROP ASYMMETRIC KEY [TDE_20240601];
+GO