{"id":183,"date":"2022-01-06T11:21:51","date_gmt":"2022-01-06T11:21:51","guid":{"rendered":"https:\/\/blog.citrus-lime.com\/crmc\/?p=183"},"modified":"2022-01-06T11:21:51","modified_gmt":"2022-01-06T11:21:51","slug":"tde-database-encryption-with-on-premise-dynamics","status":"publish","type":"post","link":"https:\/\/blog.citrus-lime.com\/crmc\/tde-database-encryption-with-on-premise-dynamics\/","title":{"rendered":"TDE Database Encryption with On Premise Dynamics"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"alignright is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/license.citruslime.com\/cs\/blogs\/crmcs\/TDE-Encryption_thumb_25AEA1F9.jpg\" alt=\"TDE Encryption\" width=\"319\" height=\"243\" \/><\/figure><\/div>\n\n\n\n<p>We were tasked by a client to look at what levels of\u00a0<strong>Database Encryption (Encryption at Rest)<\/strong>\u00a0were in place and<br>also how we could fill in any gaps. Here in the UK we would be talking about the sensitive personal information<br>covered by the GDPR legislation, and how we can make it as secure as possible. The request is quite simple \u2013<br><em><strong>\u2018please encrypt our database\u2019<\/strong><\/em>, however from a SQL novice point of view, this would require a lot of new learning<br>for your typical Dynamics CRM Consultant.<\/p>\n\n\n\n<p>Sure, I can deploy a multi\u2013server deployment of Dynamics, but we only really touch base with SQL Server and database backups, so I already knew this would be an interesting challenge\u2026<\/p>\n\n\n\n<p><strong>1. Why Should you Encrypt?..<\/strong><\/p>\n\n\n\n<p>So, we have the correct password policy, latest CRM patches for 8.2 and the server array and network conforms to TLS 1.2. For industry standards data access and data transit is where it currently needs to be, however how secure is that data storage?<\/p>\n\n\n\n<p>Microsoft\u2019s example runs along the line of \u2018If someone was able to get access to your SQL Server and remove the hard drive, they could then restore the data in a secondary SQL Server\u2019. This causes a major security flaw and that is where TDE (Transparent Database Encryption) comes in!<\/p>\n\n\n\n<p>TDE is SQL\u2019s form of Encryption at Rest. The term&nbsp;<strong><em>\u201cdata at rest\u201d<\/em><\/strong>&nbsp;refers to the data, log files, and backups stored in persistent storage and allows an organisation to protect its data when not in use or when stored for audit purposes for instance<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. Things to Consider\u2026<\/strong><\/h3>\n\n\n\n<p>If you ever find yourself in this domain then I thought I would stick this at the top of the blog rather than a wrap up at the end \u2013 These are things I either knew already of found out during the process;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>If your are dealing with a Cloud deployment of Dynamics, the Microsoft SQL Server arrays adopt TDE alongside the Data Encryption that introduced back in the CRM 2013 days<ul><li>More reading for CRM Data Encryption &#8211;&nbsp;<a href=\"https:\/\/community.dynamics.com\/365\/sales\/b\/crminogic\/posts\/data-encryption-in-crm-2013\">https:\/\/community.dynamics.com\/365\/sales\/b\/crminogic\/posts\/data-encryption-in-crm-2013<\/a><\/li><li>More reading for Dynamics Cloud Encryption &#8211;&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/office-365-encryption-in-microsoft-dynamics-365?view=o365-worldwid%C2%A0%C2%A0%C2%A0%C2%A0\">https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/office-365-encryption-in-microsoft-dynamics-365?view=o365-worldwid&nbsp;&nbsp;&nbsp;&nbsp;<\/a><\/li><\/ul><\/li><li>It goes without saying but only use your Dev\/UAT environment and take a copy of the database\/Server snapshot before you start<\/li><li>Using SSMS 2018 (SQL Server Management Studio)<\/li><li>Here there is no SQL load balancing<\/li><li>The rest of the network is running TLS 1.2 so the data is secure (as per industry standards) in transit<\/li><li>Either SQL Server 2019 Standard or SQL Server 2016 Enterprise Editions<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. Disclaimer\u2026<\/strong><\/h3>\n\n\n\n<p>It is worth stressing that you need to check your SQL Server version(s) you will be using \u2013 The SQL Server licensing model allows for a non-production \u2018Developer\u2019 License that shares the same functionality as an Enterprise License. I found this out the hard way as we had the following set up<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SQL Server 2016 Developer Edition for UAT<\/li><li>SQL Server 2016 Standard Edition for Live<\/li><\/ul>\n\n\n\n<p>TDE is not available for the SQL Server 2016 Standard Edition so bare this in mind \u2013 However it is available for the SQL Server 2019 Edition&nbsp;<\/p>\n\n\n\n<p>4. How and Where to Start<\/p>\n\n\n\n<p>I began my search with Microsoft via a good old Google Search. From what I could find there seemed to be 2 different options available here \u2013 Always Encrypted and TDE (Transparent Data Encryption). I did start with Always Encrypted as we only needed to encrypt 6 Fields on the Case (Incident) Entity and this seemed to be the least intrusive option. However as stated above, it was proving to be awkward and slow to test, and CRM was throwing generic SQL errors. With nothing in the SQL Event Log or the SQL Server Logs (Plus with me knowing that Dynamics 365 uses TDE my heart wasn\u2019t really into wasting large amounts of time without exploring TDE myself first)<\/p>\n\n\n\n<p>What I would say is that the Microsoft documentation is very good and clear and provides your with all the information your require.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5. Setting up TDE<\/strong><\/h3>\n\n\n\n<p>The diagram taken below from&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/encryption\/transparent-data-encryption?view=sql-server-ver15\">https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/encryption\/transparent-data-encryption?view=sql-server-ver15<\/a>&nbsp;shows how the setup of TDE works. Using the familiar Parent\/Child relationship concept we have in CRM, here we have a Database Master Key (Parent) and a Database Encryption Key (Child)<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/encryption\/media\/tde-architecture.png?view=sql-server-ver15\" alt=\"The Transparent Database Encryption architecture\" \/><\/figure>\n\n\n\n<p><strong><em>[I would recommend getting comfortable around the above diagram as this drives the next stage in the process]<\/em><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<p>So, we now need to create a DMK (Database Master Key) and a DEK (Database Encryption Key) using the below SQL Query;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>USE master;<br>Go<br>Create Master Key encryption by password = &#8216;&lt;Add a secure password here&gt;&#8217;;<br>go<br>CREATE CERTIFICATE Give the DMK a certificate name WITH SUBJECT = &#8216;Example Certificate Subject&#8217;;<br>go<br>USE The target Database you want to apply TDE to;<br>GO<br>CREATE DATABASE ENCRYPTION KEY<br>WITH ALGORITHM = AES_128<br>ENCRYPTION BY SERVER CERTIFICATE Give the DMK a certificate name WITH SUBJECT ;<br>GO<br>ALTER DATABASE USE The target Database you want to apply TDE to<br>SET ENCRYPTION ON;<br>GO<\/strong><\/p><\/blockquote>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<p>And here is what is looks like for me:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/license.citruslime.com\/cs\/blogs\/crmcs\/image_737F9A7D.png\"><img decoding=\"async\" src=\"https:\/\/license.citruslime.com\/cs\/blogs\/crmcs\/image_thumb_73136788.png\" alt=\"image\" title=\"image\" \/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<p>Once executed, you will get a message below to confirm and you can also check the current SQL Server Logs to show that the TDE Encryption Scan is in progress \u2013 Once the scan is completed, TDE is now set up and in place<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6. Progress and Evidencing<\/strong><\/h3>\n\n\n\n<p>On my Google travels I came across the following query a few times that I would recommend;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Helps you to evidence TDE is in place for a Database<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Shows you the progress of the TDE encryption scan<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>SELECT DB_NAME (database_id) AS DatabaseName, encryption_state,<br>encryption_state_desc =<br>CASE encryption_state<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WHEN &#8216;0&#8217;&nbsp; THEN&nbsp; &#8216;No database encryption key present, no encryption&#8217;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WHEN &#8216;1&#8217;&nbsp; THEN&nbsp; &#8216;Unencrypted&#8217;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WHEN &#8216;2&#8217;&nbsp; THEN&nbsp; &#8216;Encryption in progress&#8217;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WHEN &#8216;3&#8217;&nbsp; THEN&nbsp; &#8216;Encrypted&#8217;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WHEN &#8216;4&#8217;&nbsp; THEN&nbsp; &#8216;Key change in progress&#8217;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WHEN &#8216;5&#8217;&nbsp; THEN&nbsp; &#8216;Decryption in progress&#8217;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WHEN &#8216;6&#8217;&nbsp; THEN&nbsp; &#8216;Protection change in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed.)&#8217;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ELSE &#8216;No Status&#8217;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; END,<br>percent_complete,encryptor_thumbprint, encryptor_type&nbsp; FROM sys.dm_database_encryption_keys<\/strong><\/p><\/blockquote>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<p>Copy the above query like for like, you don\u2019t need to change anything:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/license.citruslime.com\/cs\/blogs\/crmcs\/image_75BC2339.png\"><img decoding=\"async\" src=\"https:\/\/license.citruslime.com\/cs\/blogs\/crmcs\/image_thumb_4E81DA04.png\" alt=\"image\" title=\"image\" \/><\/a><\/figure>\n\n\n\n<p><em>TDE Encryption Scan in progress<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/license.citruslime.com\/cs\/blogs\/crmcs\/image_1C1E0685.png\"><img decoding=\"async\" src=\"https:\/\/license.citruslime.com\/cs\/blogs\/crmcs\/image_thumb_22D11008.png\" alt=\"image\" title=\"image\" \/><\/a><\/figure>\n\n\n\n<p><em>TDE Encryption Scan complete<\/em><\/p>\n\n\n\n<p><strong>Next: Visit our&nbsp;<a href=\"https:\/\/www.crmcs.co.uk\/content\/a-day-in-the-life-moneypenny-release.aspx\">Dynamics Day in the Life Articles<\/a><u>&nbsp;<\/u>and see how CRMCS have successfully implemented innovative and seamless solutions with our current clients<\/strong><\/p>\n\n\n\n<p><strong><a href=\"https:\/\/www.crmcs.co.uk\/contact-us.aspx\">Contact us<\/a>&nbsp;on 0161 348 7360 for a chat or Fill out our&nbsp;<a href=\"https:\/\/www.crmcs.co.uk\/contact-us.aspx\">Contact Form<\/a>&nbsp;for further information and how to get started.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We were tasked by a client to look at what levels of\u00a0Database Encryption (Encryption at Rest)\u00a0were in place andalso how we could fill in any gaps. Here in the UK we would be talking about the sensitive personal informationcovered by the GDPR legislation, and how we can make it as secure as possible. The request<\/p>\n","protected":false},"author":43,"featured_media":35,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_price":"","_stock":"","_tribe_ticket_header":"","_tribe_default_ticket_provider":"","_tribe_ticket_capacity":"0","_ticket_start_date":"","_ticket_end_date":"","_tribe_ticket_show_description":"","_tribe_ticket_show_not_going":false,"_tribe_ticket_use_global_stock":"","_tribe_ticket_global_stock_level":"","_global_stock_mode":"","_global_stock_cap":"","_tribe_rsvp_for_event":"","_tribe_ticket_going_count":"","_tribe_ticket_not_going_count":"","_tribe_tickets_list":"[]","_tribe_ticket_has_attendee_info_fields":false,"footnotes":""},"categories":[3],"tags":[],"class_list":{"0":"post-183","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-crm"},"featured_image_src":"https:\/\/blog.citrus-lime.com\/crmc\/wp-content\/uploads\/sites\/30\/2021\/11\/Dynamics-365-Consultancy.jpg","author_info":{"display_name":"jadesmith","author_link":"https:\/\/blog.citrus-lime.com\/crmc\/author\/jadesmith\/"},"_links":{"self":[{"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/posts\/183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/comments?post=183"}],"version-history":[{"count":1,"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/posts\/183\/revisions"}],"predecessor-version":[{"id":184,"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/posts\/183\/revisions\/184"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/media\/35"}],"wp:attachment":[{"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/media?parent=183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/categories?post=183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.citrus-lime.com\/crmc\/wp-json\/wp\/v2\/tags?post=183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}