为 Azure 上的 Stretch Database 启用透明数据加密 (TDE) (Transact-SQL)Enable Transparent Data Encryption (TDE) for Stretch Database on Azure (Transact-SQL)

透明数据加密 (TDE) 无需更改应用程序,即可对静止的数据库、关联的备份和事务日志执行实时加密和解密,帮助防止恶意活动的威胁。Transparent Data Encryption (TDE) helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

TDE 使用称为数据库加密密钥的对称密钥来加密整个数据库的存储。TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key. 数据库加密密钥由内置服务器证书保护。The database encryption key is protected by a built-in server certificate. 内置服务器证书对每个 Azure 服务器都是唯一的。The built-in server certificate is unique for each Azure server. Azure 至少每隔 90 天自动轮换这些证书。Azure automatically rotates these certificates at least every 90 days. 有关 TDE 的一般说明,请参阅透明数据加密 (TDE)For a general description of TDE, see Transparent Data Encryption (TDE).

启用加密Enabling Encryption

对于存储从启用延伸的 SQL Server 数据库迁移的数据的 Azure 数据库,若要启用 TDE,请执行以下操作:To enable TDE for an Azure database that's storing the data migrated from a Stretch-enabled SQL Server database, do the following things:

  1. 使用在 master 数据库中是管理员或 dbmanager 角色成员的登录名,连接到托管数据库的 Azure 服务器上的 master 数据库Connect to the master database on the Azure server hosting the database using a login that is an administrator or a member of the dbmanager role in the master database

  2. 执行以下语句来加密数据库。Execute the following statement to encrypt the database.

    ALTER DATABASE [database_name] SET ENCRYPTION ON;
    

禁用加密Disabling Encryption

对于存储从启用延伸的 SQL Server 数据库迁移的数据的 Azure 数据库,若要禁用 TDE,请执行以下操作:To disable TDE for an Azure database that's storing the data migrated from a Stretch-enabled SQL Server database, do the following things:

  1. 使用在 master 数据库中充当管理员或 dbmanager 角色成员的登录名,连接到 master 数据库Connect to the master database using a login that is an administrator or a member of the dbmanager role in the master database

  2. 执行以下语句来加密数据库。Execute the following statement to encrypt the database.

    ALTER DATABASE [database_name] SET ENCRYPTION OFF;
    

验证加密Verifying Encryption

若要验证存储从启用延伸的 SQL Server 数据库迁移的数据的 Azure 数据库的加密状态,请执行以下操作:To verify encryption status for an Azure database that's storing the data migrated from a Stretch-enabled SQL Server database, do the following things:

  1. 使用在 master 数据库中充当管理员或 dbmanager 角色成员的登录名,连接到 master 数据库或实例数据库Connect to the master or instance database using a login that is an administrator or a member of the dbmanager role in the master database

  2. 执行以下语句来加密数据库。Execute the following statement to encrypt the database.

    SELECT
        [name],
        [is_encrypted]
    FROM
        sys.databases;
    

结果 1 表示数据库已加密,0 表示数据库未加密。A result of 1 indicates an encrypted database, 0 indicates a non-encrypted database.