Securing the Root Keys for TDE

In this quick post we’re going to look at an additional step you should take to secure your TDE databases. This is a step you won’t find in any other documentation on setting up TDE in SQL Server that I’ve seen, so it probably bears a little explaining.

We looked at the encryption hierarchy in earlier posts. Let’s look at that again to give us context for what we are about to discuss:

At every level in the diagram, the keys are securely encrypted by the level above. What concerns us here is the very top level in the diagram, the keys used by the DPAPI. These keys are unique to your server, but as they sit at the root level there is nothing left to encrypt them, so they have to be stored unencrypted somewhere.

They keys are held in the following directory on most Windows systems:
C:\Windows\System32\Microsoft\Protect\S-1-5-18

It’s not a trivial technical task, but if someone can access these keys as well as a copy of your database files (including the master database) – or a copy of your database backups including master, then it is possible for them to decrypt the chain of keys working from the SMK down and eventually be able to decrypt your TDE-protected data.

That means if someone has read access to the DPAPI keys then they could access your data. However, this is easy to protect against. You just need to secure the above directory to ensure that only Local Administrators, the LOCAL SYSTEM account and the SQL Server service account can read anything within it. You can do that by applying the appropriate file system permissions if they are not already in place.

In the next post we’ll start to look at things you want to consider when encrypting existing databases that contain data.

This post is part of a comprehensive series on SQL Server Encryption. Subscribe to my blog for updates as new posts are published or you can buy my book through the link in the sidebar to get it all in one go.

And if you’re embarking on an encryption project (or anything else to do with SQL Server) and want some help, I’m available for consulting – please get in touch or check out my services page to find out what I can do for you.

One thought on “Securing the Root Keys for TDE

Leave a Reply