tags:

views:

128

answers:

2
+1  Q: 

Encrypting filestream data

SQL Server 2008 supports data at rest security through TDE (Transparent data encryption), but the encryption excludes files stored on harddrive through FILESTREAM feature.

How have you handled encryption of this data on file system stored through FILESTREAM? Encrypted File System seems to be an option, but would cause problem during DB backup, as the encryption of db and filesystem are done by two different sources using (possibly) different encryption keys! Please share your thoughts.

Many thanks!

A: 

What is the purpose of encrypting? Is the system is not physically secure? If so, anyone with physical access can, with some trouble, also run the decrypting software and reconstitute the data.

If the database is on a publicly accessible volume and the intent is to to stop casual snooping, then install another hard drive and configure it to be non-shared. This is significantly less expensive, way more reliable, not subject to future cracks, and much more maintainable.

Otherwise, the database access mechanism itself is the most vulnerable to inappropriate access. So it won't matter what filesystem encryption is in effect.

wallyk  2010-02-21 22:41:57
@wallyk: Encryption of 'data at rest' is a regulatory requirement for compliance with certain accreditation bodies. The goal is to prevent revealing the data even in case of a physical security lapse. I believe, the TDE attempts to do that, with multiple layers of encrypted keys internally(and ultimately) tied to a master key stored in the operating system. Your solution of keeping a separate harddrive will complement this solution and make it stronger.But, leaving the data unencrypted would allow data access on physical lapse.And, how crack-proof an encryption is subjective, as we all know:)
pencilslate  2010-02-22 04:46:20
+2  A: 

Can you have the folders where your FILESTREAM data reside be EFS encrypted by the account your SQL Server runs under?

Jesse C. Slicer  2010-02-21 23:25:22
@Jesse: Can EFS be restricted to folder level? I tried googling, but couldn't find a concrete explanation.
pencilslate  2010-02-22 04:54:52
Agreed on EFS - Andrew Fryer has blogged about this a couple of times.
Brent Ozar  2010-02-22 13:04:26
@pencilslate: Yes, EFS can be applied at a drive, folder and/or individual file level.
Jesse C. Slicer  2010-02-22 13:53:14

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?