HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Should you encrypt the system databases?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
thedatabasesyousystemshouldencrypt

Problem

A finding from a STIG evaluation, CCE-19832-5 reports that the [master] database should be encrypted with a Database Master Key using an encrypted password that meets DoD standards.

This a result of an AppDetective scan; it states:


Resource key 'database_containing_encrypted_key' not found.=[master].

I am not deliberately storing anything in the master database.

I've encrypted all user databases but my question is: do you encrypt the system databases, specifically master? I am using TDE with SQL Server 2012.

Solution

The answer is "NO".

When you attempt encrypt a system database, SQL Server complains:


Cannot encrypt a system database. Database encryption operations
cannot be performed for 'master', 'model', 'tempdb', 'msdb' or
'resource' databases.

However, it's important to realize that any successful encryption of a non-system database will cause TempDB to be encrypted automatically, to protect temporary objects. In fact, even if TDE is later removed from the user database, TempDB will remain encrypted.

Context

StackExchange Database Administrators Q#116175, answer score: 8

Revisions (0)

No revisions yet.