Database Administration




                    Notes
                                                                     Figure 6.4

















































                                   Keep in mind the following concepts:
                                       For best performance, encrypt data using symmetric keys instead of certificates or
                                       asymmetric keys.
                                       Database master keys are protected by the Service Master Key. The Service Master Key is
                                       created by SQL Server setup and is encrypted with the Windows Data Protection API
                                       (DPAPI).
                                       Other encryption hierarchies stacking additional layers are possible.

                                       An Extensible Key Management (EKM) module holds symmetric or asymmetric keys
                                       outside of SQL Server.
                                       Transparent Data Encryption (TDE) must use a symmetric key called the database
                                       encryption key which is protected by either a certificate protected by the database master
                                       key of the master database, or by an asymmetric key stored in an EKM.

                                       The Service Master Key and all Database Master Keys are symmetric keys.





          92                                LOVELY PROFESSIONAL UNIVERSITY