And I’ve read several topics here saying that 10.2 supports it out of the box.
What I am unsure of is any Epicor documentation to configure this, and any steps to be aware of?
I have not used this functionality before and I have this fear of encrypting the database without knowing how to decrypt it
Any conversations on going from non-encrypted at rest to encrypted would be much appreciated!
Thanks Simon
I’m on the struggle bus with this one. I can’t seem to find any documentation in the implementation guide or in the system administration guide relating to database encryption, only relating to transport layer encryption.
Does EAC need to store a key so that it can access the encrypted DB? Or is this something entirely within SQL? And as long as the “user” (the App Server in EAC) has access, SQL encrypts and decrypts the data it passes to the App Server? The encryption part really just refers to how the data is stored in the DB?
Just trying to follow along and learn something new.
As I understand it, TDE encrypts the data in memory before it’s written to the disk, then decrypts it upon retrieval (again, in memory).
These are great questions, and I have no idea what role EAC plays with it. If it stored the key, that would be great
I remember getting excited about this when if first became available in SQL. The company I worked for at the time was in the FSI software field.
Here’s a link from MS which explains. TDE in pretty good detail
The crux of it is it is at rest DE at the page level of the database. To restore the database to another server, you need the backup, the certificate and the related private key.
Size of the db doesn’t change, but my guess is that there would be some performance hit.
I’ve got a feeling that the admin console just looks at the sys.dm_database_encryption_keys DMV or some custom view/stored procedure that relates the database name to the database_id and returns the encryption state in SQL, you would not want Epicor storing its own copy of the key that would be bad.
I’m still digging into this and doing some testing, researching.
If you get a chance or have access to, could you run the following on a demo database.
select count(*)
from sys.default_constraints con
left outer join sys.objects t
on con.parent_object_id = t.object_id
left outer join sys.all_columns col
on con.parent_column_id = col.column_id
and con.parent_object_id = col.object_id
This counts the number of columns with default constraints. You can’t use Always On Encryption on these columns, which I was hoping you might be able to do, I suspect this is why Data Masking might have been introduced. It would take a lot of re-architecting on the database and the app side to sort that out, with modern development tools today, you might be in with a chance.
My document is going to include the three areas around TSQL with regards to Encryption. TDE, Backup and Always on encryption. I was hoping that you might be able to utilize Always on Encryption, but alas I don’t think that will fly, at least not yet.
EDIT 2
Hello @Aaron_Moreng,
Here is the first cut. I hope you find it useful. I know I enjoyed digging into this a bit deeper, a bit of a can of worms actually. Those MKEs, DEKs, and EKM OMG! The attached document outlines the different encryption methods with various links to examples, it didn’t make sense to reinvent the wheel. I perhaps could have gone into more depth on Column/Cell level encryption, where do you stop… Be as harsh a critic as you need.
The attached document outlines the different encryption methods with various links to examples, it didn’t make sense to reinvent the wheel. I perhaps could have gone into more depth on Column/Cell level encryption, where do you stop… Be as harsh a critic as you need.