- How Are Encryption Keys Securely Generated Free
- How Are Encryption Keys Securely Generated Windows 7
- Satellite Encryption Keys
- How Are Encryption Keys Securely Generated Windows 10
- Create Encryption Key
- How Are Encryption Keys Securely Generated Windows 7
In addition to controlling access, you can also encrypt data to reduce your security risks. However, data encryption is not an infallible solution. This chapter discusses the appropriate uses of data encryption and provides examples of using data encryption in applications. It contains the following topics:
How to manage encryption keys. Encryption is an effective way to secure data, but the encryption keys used must be carefully managed to ensure data remains protected and accessible when needed. Keys are generated automatically and stored securely so they can be changed regularly. Feb 20, 2018 how encryption keys being generated? - posted in Encryption Methods and Programs: Hi All, Im a novice and was unable to understand the correct procedure in. Mar 06, 2018 Oracle supports two types of encryption algorithms: symmetric algorithms (use the same key for encrypting and decrypting data) for encrypting stored data and asymmetric algorithms (2 keys are generated: a private key used for decryption and a public key that will be used by the message sender in order to encrypt the message) used for database.
Securing Sensitive Information
While the Internet poses new challenges in information security, many of them can be addressed by the traditional arsenal of security mechanisms:
- Strong user authentication to identify users
- Granular access control to limit what users can see and do
- Auditing for accountability
- Network encryption to protect the confidentiality of sensitive data in transmission
Encryption is an important component of several of these solutions. For example, Secure Sockets Layer (SSL), an Internet-standard network encryption and authentication protocol, uses encryption to strongly authenticate users by means of X.509 digital certificates. SSL also uses encryption to ensure data confidentiality, and cryptographic checksums to ensure data integrity. Many of these uses of encryption are relatively transparent to a user or application. For example, many browsers support SSL, and users generally do not need to do anything special to enable SSL encryption.
Oracle has provided network encryption between database clients and the Oracle database since version 7. Oracle Advanced Security, an option to the Oracle Database server, provides encryption and cryptographic checksums for integrity checking with any protocol supported by the database, including Oracle Net, Java Database Connectivity (JDBC—both thick and thin JDBC), and the Internet Intra-Orb Protocol (IIOP). Oracle Advanced Security also supports SSL for Oracle Net, thick JDBC, and IIOP connections.
While encryption is not a security cure-all, it is an important tool in addressing specific security threats. In particular, the rapid growth of e-business has spurred increased encryption of stored data, such as credit card numbers. While SSL is typically used to protect these numbers in transit to a Web site, where data is not protected as it is in storage, the file system or database storing them often does so as clear text (unencrypted). Information stored in the clear is then directly accessible to anyone who can break into the host and gain root access, or gain illicit access to the database.
Databases can be made quite secure through proper configuration, but they can also be vulnerable to host break-ins if the host is misconfigured. In well-publicized break-ins, a hacker obtained a large list of credit card numbers by breaking into a database. Had the data been encrypted, the stolen information would have been useless. Encryption of stored data can thus be an important tool in limiting information loss even in the normally rare occurrence that access controls are bypassed.
Principles of Data Encryption
While there are many good reasons to encrypt data, there are many reasons not to. Encryption does not solve all security problems, and may even make some problems worse. The following sections describe some misconceptions about encryption of stored data:
Principle 1: Encryption Does Not Solve Access Control Problems
Most organizations need to limit data access to those who have a need to know. For example, a human resources system may limit employees to viewing only their own employment records, while allowing managers of employees to see the employment records of subordinates. Human resource specialists may also need to see employee records for multiple employees.
This type of security policy limiting data access to those with a need to see it is typically addressed by access control mechanisms. Oracle Database has provided strong, independently-evaluated access control mechanisms for many years. It enables access control enforcement to an extremely fine level of granularity through its Virtual Private Database capability.
Because human resource records are considered sensitive information, it is tempting to think that all information should be encrypted for better security. However, encryption cannot enforce granular access control, and it may actually hinder data access. For example, an employee, his manager, and a human resources clerk may all need to access an employee record. If all employee data is encrypted, then all three must be able to access the data in un-encrypted form. Therefore, the employee, the manager and the HR clerk would have to share the same encryption key to decrypt the data. Encryption would therefore not provide any additional security in the sense of better access control, and the encryption might actually hinder the proper or efficient functioning of the application. An additional issue is that it is very difficult to securely transmit and share encryption keys among multiple users of a system.
A basic principle behind encrypting stored data is that it must not interfere with access control. For example, a user who has the
SELECT
privilege on EMP should not be limited by the encryption mechanism from seeing all the data he is otherwise allowed to see. Similarly, there is little benefit to encrypting part of a table with one key and part of a table with another key if users need to see all encrypted data in the table. It merely adds to the overhead of decrypting the data before users can read it. If access controls are implemented well, then encryption adds little additional security within the database itself. Any user who has privilege to access data within the database has no more nor any less privilege as a result of encryption. Therefore, encryption should never be used to solve access control problems.Principle 2: Encryption Does Not Protect Against a Malicious DBA
Some organizations, concerned that a malicious user might gain elevated (DBA) privileges by guessing a password, like the idea of encrypting stored data to protect against this threat. However, the correct solution to this problem is to protect the DBA account, and to change default passwords for other privileged accounts. The easiest way to break into a database is by using a default password for a privileged account that an administrator has allowed to remain unchanged. One example is
SYS
/CHANGE_ON_INSTALL
.While there are many destructive things a malicious user can do to a database after gaining DBA privilege, encryption will not protect against many of them. Examples include corrupting or deleting data, exporting user data to the file system to mail the data back to himself so as to run a password cracker on it, and so on.
Some organizations are concerned that DBAs, typically having all privileges, are able to see all data in the database. These organizations feel that the DBAs should merely administer the database, but should not be able to see the data that the database contains. Some organizations are also concerned about concentrating so much privilege in one person, and would prefer to partition the DBA function, or enforce two-person access rules.
It is tempting to think that encrypting all data (or significant amounts of data) will solve these problems, but there are better ways to protect against these threats. For example, Oracle Database does support limited partitioning of DBA privileges. Oracle Database provides native support for
SYSDBA
and SYSOPER
users. SYSDBA
has all privileges, but SYSOPER
has a limited privilege set (such as startup and shutdown of the database).Furthermore, an organization can create smaller roles encompassing a number of system privileges. A
JR_DBA
role might not include all system privileges, but only those appropriate to a junior DBA (such as CREATE TABLE
, CREATE USER
, and so on).Oracle Database also enables auditing the actions taken by
SYS
(or SYS
-privileged users) and storing that audit trail in a secure operating system location. Using this model, a separate auditor who has root privileges on the operating system can audit all actions by SYS
, enabling the auditor to hold all DBAs accountable for their actions.See Also:
'Auditing Administrative Users' for information about using the AUDIT_SYS_OPERATIONS
parameter.The DBA function by its nature is a trusted position. Even organizations with the most sensitive data such as intelligence agencies do not typically partition the DBA function. Instead, they vet their DBAs strongly, because it is a position of trust. Periodic auditing can help to uncover inappropriate activities.
Encryption of stored data must not interfere with the administration of the database, because otherwise, larger security issues can result. For example, if by encrypting data you corrupt the data, then you create a security problem, the data itself becomes uninterpretable, and it may not be recoverable.
Encryption can be used to limit the ability of a DBAor other privileged user to see data in the database. However, it is not a substitute for vetting a DBA properly, or for controlling the use of powerful system privileges. If untrustworthy users have significant privileges, then they can pose multiple threats to an organization, some of them far more significant than viewing unencrypted credit card numbers.
Principle 3: Encrypting Everything Does Not Make Data Secure
A common error is to think that if encrypting some data strengthens security, then encrypting everything makes all data secure.
As the discussion of the prior two principles illustrates, encryption does not address access control issues well, and it is important that encryption not interfere with normal access controls. Furthermore, encrypting an entire production database means that all data must be decrypted to be read, updated, or deleted. Encryption is inherently a performance-intensive operation, encrypting all data will significantly affect performance.
Availability is a key aspect of security. If encrypting data makes data unavailable, or adversely affects availability by reducing performance, then encrypting everything will create a new security problem. Availability is also adversely affected by the database being inaccessible when encryption keys are changed, as good security practices require on a regular basis. When the keys are to be changed, the database is inaccessible while data is decrypted and re-encrypted with a new key or keys.
However, there may be advantages to encrypting data stored off-line. For example, an organization may store backups for a period of six months to a year off-line, in a remote location. Of course, the first line of protection is to secure the facility storing the data, by establishing physical access controls. Encrypting this data before it is stored may provide additional benefits. Because it is not being accessed on-line, performance need not be a consideration. While an Oracle database server does not provide this capability, there are vendors who can provide such encryption services. Before embarking on large-scale encryption of backup data, organizations considering this approach should thoroughly test the process. It is essential to verify that data encrypted before off-line storage can be decrypted and re-imported successfully.
Stored Data Encryption Using DBMS_CRYPTO
The
DBMS_CRYPTO
package provides several means for addressing the security issues that have been discussed. (For backward compatibility, DBMS_OBFUSCATION_TOOLKIT
is also provided.) This section includes these topics:DBMS_CRYPTO Hashing and Encryption Capabilities
While encryption is not the ideal solution for addressing a number of security threats, it is clear that selectively encrypting sensitive data before storage in the database does improve security. Examples of such data could include:
- Credit card numbers
- National identity numbers
To address these needs, Oracle Database provides the PL/SQL package
DBMS_CRYPTO
to encrypt and decrypt stored data. This package supports several industry-standard encryption and hashing algorithms, including the Advanced Encryption Standard (AES) encryption algorithm. AES has been approved by the National Institute of Standards and Technology (NIST) to replace the Data Encryption Standard (DES).The
DBMS_CRYPTO
package enables encryption and decryption for common Oracle data types, including RAW
and large objects (LOBs), such as images and sound. Specifically, it supports BLOBs and CLOBs. In addition, it provides Globalization Support for encrypting data across different database character sets.The following cryptographic algorithms are supported:
- Data Encryption Standard (DES), Triple DES (3DES, 2-key)
- Advanced Encryption Standard (AES)
- SHA-1 Cryptographic Hash
- SHA-1 Message Authentication Code (MAC)
Block cipher modifiers are also provided with
DBMS_CRYPTO
. You can choose from several padding options, including Public Key Cryptographic Standard (PKCS) #5, and from four block cipher chaining modes, including Cipher Block Chaining (CBC). Padding must be done in multiples of eight bytes.Note:
- DES is no longer recommended by the National Institute of Standards and Technology (NIST).
- Usage of SHA-1 is more secure than MD5.
- Keyed MD5 is not vulnerable.
Table 17-1 compares the
DBMS_CRYPTO
package features to the other PL/SQL encryption package, the DBMS_OBFUSCATION_TOOLKIT
.How Are Encryption Keys Securely Generated Free
Table 17-1 DBMS_CRYPTO and DBMS_OBFUSCATION_TOOLKIT Feature Comparison
Package Feature | DBMS_CRYPTO | DBMS_OBFUSCATION_TOOLKIT |
---|---|---|
Cryptographic algorithms | DES, 3DES, AES, RC4, 3DES_2KEY | DES, 3DES |
Padding forms | PKCS5, zeroes | None supported |
Block cipher chaining modes | CBC, CFB, ECB, OFB | CBC |
Cryptographic hash algorithms | SHA-1 | MD5 |
Keyed hash (MAC) algorithms | HMAC_MD5, HMAC_SH1 | None supported |
Cryptographic pseudo-random number generator | RAW , NUMBER , BINARY_INTEGER | RAW , VARCHAR2 |
Database types | RAW , CLOB , BLOB | RAW , VARCHAR2 |
DBMS_CRYPTO
is intended to replace the obfuscation toolkit, because it is easier to use and supports a range of algorithms accommodating both new and existing systems. Although 3DES_2KEY and MD4 are provided for backward compatibility, you achieve better security using 3DES, AES, or SHA-1. Therefore, 3DES_2KEY is not recommended.The
DBMS_CRYPTO
package includes cryptographic checksum capabilities (MD5), which are useful for compares, and the ability to generate a secure random number (the RANDOMBYTES
function). Secure random number generation is an important part of cryptography, predictable keys are easily-guessed keys, and easily-guessed keys may lead to easy decryption of data. Most cryptanalysis is done by finding weak keys or poorly stored keys, rather than through brute force analysis (cycling through all possible keys).Note:
- Do not use
DBMS_RANDOM
as it is unsuitable for cryptographic key generation. - For more detailed descriptions of both
DBMS_CRYPTO
andDBMS_OBFUSCATION_TOOLKIT
, also refer to the PL/SQL Packages and Types Reference.
Key management is programmatic. That is, the application (or caller of the function) must supply the encryption key. This means that the application developer must find a way of storing and retrieving keys securely. The relative strengths and weaknesses of various key management techniques are discussed in the sections that follow. The
DBMS_OBFUSCATION_TOOLKIT
package, which can handle both string and raw data, requires the submission of a 64-bit key. The DES algorithm itself has an effective key length of 56-bits.Note:
The DBMS_OBFUSCATION_TOOLKIT
is granted to the PUBLIC
role by default. Oracle strongly recommends that you revoke this grant.While the
DBMS_OBFUSCATION_TOOLKIT
package can take either VARCHAR2
or RAW
data types, it is preferable to use the RAW
data type for keys and encrypted data. Storing encrypted data as VARCHAR2
can cause problems if it passes through Globalization Support routines. For example, when transferring database to a database that uses another character set.To convert between
VARCHAR2
and RAW
data types, use the CAST_TO_RAW
and CAST_TO_VARCHAR2
functions of the UTL_RAW
package.See Also:
PL/SQL Packages and Types Reference for detailed documentation of the DBMS_CRYPTO
, DBMS_OBFUSCATION_TOOLKIT
and UTL_RAW
packagesData Encryption Challenges
Even in cases where encryption can provide additional security, come with associated technical challenges, as described in the following sections:
Encrypting Indexed Data
Special difficulties arise in handling encrypted data that is indexed. For example, suppose a company uses a national identity number, such as the U.S. Social Security number (SSN), as the employee number for its employees. The company considers employee numbers to be very sensitive data and therefore wants to encrypt data in the
EMPLOYEE_NUMBER
column of the EMPLOYEES
table. Because EMPLOYEE_NUMBER
contains unique values, the database designers want to have an index on it for better performance.However, if
DBMS_CRYPTO
or the DBMS_OBFUSCATION_TOOLKIT
(or another mechanism) is used to encrypt data in a column, then an index on that column will also contain encrypted values. Although such an index can be used for equality checking (for example, 'SELECT * FROM emp WHERE employee_number = '123245'
), if the index on that column contains encrypted values, then the index is essentially unusable for any other purpose. Oracle therefore recommends that developers not encrypt indexed data.Given the privacy issues associated with overuse of national identity numbers (for example, identity theft), the fact that some allegedly unique national identity numbers have duplicates (as with U.S. Social Security numbers), and the ease with which a sequence can generate a unique number, there are many good reasons to avoid using national identity numbers as unique IDs.
Key Generation
Encrypted data is only as secure as the key used for encrypting it. An encryption key must be securely generated using secure cryptographic key generation. Oracle Database provides support for secure random number generation, with the
RANDOMBYTES
function of DBMS_CRYPTO
. (This function replaces the capabilities provided by the GetKey
procedure of the earlier DBMS_OBFUSCATION_TOOLKIT
.) DBMS_CRYPTO
calls the secure random number generator (RNG) previously certified by RSA.Note:
Developers should not, under any circumstances use the DBMS_RANDOM
package. The DBMS_RANDOM
package generates pseudo-random numbers, which, as RFC-1750 states that the use of pseudo-random processes to generate secret quantities can result in pseudo-security.Be sure to provide the correct number of bytes when you encrypt a key value. For example, you must provide a 16-byte key for the
ENCRYPT_AES128
encryption algorithm.Key Transmission
If the key is to be passed by the application to the database, then it must be encrypted. Otherwise, a snooper could grab the key as it is being transmitted. Use of network encryption, such as that provided by Oracle Advanced Security, will protect all data in transit from modification or interception, including cryptographic keys.
Key Storage
Key storage is one of the most important, yet difficult, aspects of encryption. To recover data encrypted with a symmetric key, the key must be accessible to an authorized application or user seeking to decrypt the data. At the same time, the key must be inaccessible to someone who is maliciously trying to access encrypted data that he is not supposed to see.
The options available to a developer are:
Storing the Keys in the Database
Storing the keys in the database cannot always provide infallible security if you are trying to protect against the DBA accessing encrypted data. An all-privileged DBA could still access tables containing encryption keys. However, it can often provide quite good security against the casual snooper or against someone compromising the database file on the operating system.
As a trivial example, suppose you create a table (
EMP
) that contains employee data. You want to encrypt employee Social Security Number (SSN) stored in one of the columns. You could encrypt employee SSN using a key that is stored in a separate column. However, anyone with SELECT
access on the entire table could retrieve the encryption key and decrypt the matching SSN.While this encryption scheme seems easily defeated, with a little more effort you can create a solution that is much harder to break. For example, you could encrypt the SSN using a technique that performs some additional data transformation on the
employee_number
before using it to encrypt the SSN. This technique might be something as simple as XORing the employee_number
with the birth date of the employee.As additional protection, PL/SQL source code performing encryption can be wrapped, (using the
WRAP
utility) which obfuscates the code. The WRAP
utility processes an input SQL file and obfuscates the PL/SQL units in it. For example, the following command uses the keymanage.sql
file as the input:A developer can subsequently have a function in the package call the
DBMS_OBFUSCATION_TOOLKIT
with the key contained in the wrapped package.Oracle Database 10g Release 2 (10.2) allows you to obfuscate dynamically generated PL/SQL code. The
DBMS_DDL
package contains two subprograms which allow you to obfuscate dynamically generated PL/SQL program units. For example, the following block uses the DBMS_DDL.CREATE_WRAPPED
procedure to wrap dynamically generated PL/SQL code.While wrapping is not unbreakable, it makes it harder for a snooper to get the key. Even in cases where a different key is supplied for each encrypted data value, not embedding the key value within a package, wrapping the package that performs key management (that is, data transformation or padding) is recommended.
See Also:
PL/SQL User's Guide and Reference for additional information on the WRAP
command line utility and the DBMS_DDL
subprograms for dynamic wrappingAn alternative would be to have a separate table in which to store the encryption key and to envelope the call to the keys table with a procedure. The key table can be joined to the data table using a primary key to foreign key relationship. For example,
EMPLOYEE_NUMBER
is the primary key in the EMPLOYEES
table that stores employee information and the encrypted SSN. EMPLOYEE_NUMBER
is a foreign key to the SSN_KEYS
table that stores the encryption keys for employee SSN. The key stored in the SSN_KEYS
table can also be transformed before use (by using XORing), so the key itself is not stored unencrypted. The procedure itself should be wrapped, to hide the way in which keys are transformed before use.The strengths of this approach are:
- Users who have direct table access cannot see the sensitive data unencrypted, nor can they retrieve the keys to decrypt the data.
- Access to decrypted data can be controlled through a procedure that selects the encrypted data, retrieves the decryption key from the key table, and transforms it before it can be used to decrypt the data.
- The data transformation algorithm is hidden from casual snooping by wrapping the procedure, which obfuscates the procedure code.
SELECT
access to both the data table and the keys table does not guarantee that the user with this access can decrypt the data, because the key is transformed before use.
The weakness in this approach is that a user who has
SELECT
access to both the key table and the data table, and who can derive the key transformation algorithm, can break the encryption scheme.The preceding approach is not infallible, but it is good enough to protect against easy retrieval of sensitive information stored in clear text.
Storing the Keys in the Operating System
Storing keys in a flat file in the operating system is another option. Oracle Database enables you to make callouts from PL/SQL, which you could use to retrieve encryption keys. However, if you store keys in the operating system and make callouts to it, then your data is only as secure as the protection on the operating system. If your primary security concern driving you to encrypt data stored in the database is that the database can be broken into from the operating system, then storing the keys in the operating system arguably makes it easier for a hacker to retrieve encrypted data than storing the keys in the database itself.
Users Managing Their Own Keys
Having the user supply the key assumes the user will be responsible with the key. Considering that 40% of help desk calls are from users who have forgotten their passwords, you can see the risks of having users manage encryption keys. In all likelihood, users will either forget an encryption key, or write the key down, which then creates a security weakness. If a user forgets an encryption key or leaves the company, then your data is irrecoverable.
If you do elect to have user-supplied or user-managed keys, then you need to make sure you are using network encryption so that the key is not passed from the client to the server in the clear. You also must develop key archive mechanisms, which is also a difficult security problem. Key archives or backdoors create the security weaknesses that encryption is attempting to address in the first place.
Using Transparent Database Encryption
Transparent database encryption provides secure encryption with automatic key management for the encrypted tables. If the application requires protection of sensitive column data stored on the media, then transparent data encryption is a simple and fast way of achieving this.
See Also:
How Are Encryption Keys Securely Generated Windows 7
Oracle Database Advanced Security Administrator's Guide for more information on transparent data encryptionChanging Encryption Keys
Prudent security practice dictates that you periodically change encryption keys. For stored data, this requires periodically unencrypting the data, and reencrypting it with another well-chosen key. This would likely have to be done while the data is not being accessed, which creates another challenge. This is especially true for a Web-based application encrypting credit card numbers, because you do not want to shut down the entire application while you switch encryption keys.
BLOBS
Certain data types require more work to encrypt. For example, Oracle Database supports storage of Binary Large Objects (BLOBs), which let users store very large objects (for example, multiple gigabytes) in the database. A BLOB can be either stored internally as a column, or stored in an external file.
For an example of using
DBMS_CRYPTO
on BLOB data, refer to the section entitled Example of Encryption and Decryption Procedures for BLOB Data.Example of a Data Encryption Procedure
The following sample PL/SQL program (
dbms_crypto.sql
) illustrates encrypting data. This example code does the following:- DES-encrypts a string (
VARCHAR2
type) after first converting it intoRAW
type.This step is necessary because encrypt and decrypt functions and procedures inDBMS_CRYPTO
package work on theRAW
data type only, unlike functions and packages in theDBMS_OBFUSCATION_TOOLKIT
package. - Shows how to create a 160-bit hash using SHA-1 algorithm.
- Demonstrates how MAC, a key-dependent one-way hash, can be computed using MD5 algorithm.
The
dbms_crypto.sql
procedure follows:Example of AES 256-Bit Data Encryption and Decryption Procedures
The following PL/SQL block block demonstrates how to encrypt and decrypt a predefined variable named
input_string
using the AES 256-bit algorithm with Cipher Block Chaining and PKCS #5 padding.Example of Encryption and Decryption Procedures for BLOB Data
The following sample PL/SQL program (
blob_test.sql
) illustrates encrypting and decrypting BLOB data. This example code does the following, and prints out its progress (or problems) at each step:- Creates a table for the BLOB column
- Inserts the raw values into that table
- Encrypts the raw data
- Decrypts the encrypted data
The
-->blob_test.sql
procedure follows:All environments of Common Data Service use SQL Server Transparent Data Encryption (TDE) to perform real-time encryption of data when written to disk, also known as encryption at rest.
By default, Microsoft stores and manages the database encryption key for your environments so you don't have to. The manage keys feature in the Power Platform admin center gives administrators the ability to self-manage the database encryption key that is associated with the Common Data Service tenant.
Important
Self-managed database encryption keys are only available for customers who have more than 1000 Power Apps plan and/or Dynamics 365 plan licensed user seats and who have opted in to the feature. To opt in to this program, contact your account or sales representative.
Encryption key management is only applicable to Azure SQL environment databases. The following features and services use their own key to encrypt their data and can't be encrypted with the self-managed encryption key:
- Relevance Search
- Mobile Offline
- Activity Log (Office 365 portal)
- Exchange (Server-side sync)
Encryption key management cannot be applied to environments that have data stored in File and Image fields.
A majority of existing environments have file and log stored in non-Azure SQL databases. These environments cannot be opted in to self-managed encryption key. Only new environments (once you signed up for this program) can be enabled with self-managed encryption key.
Introduction to key management
With key management, administrators can provide their own encryption key or have an encryption key generated for them, which is used to protect the database for an environment.
The key management feature supports both PFX and BYOK encryption key files, such as those stored in a hardware security module (HSM). To use the upload encryption key option you need both the public and private encryption key.
The key management feature takes the complexity out of encryption key management by using Azure Key Vault to securely store encryption keys. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. The key management feature doesn't require that you have an Azure Key Vault subscription and for most situations there is no need to access encryption keys used for Common Data Service within the vault.
The manage keys feature lets you perform the following tasks.
- Enable the ability to self-manage database encryption keys that are associated with Common Data Service environments.
- Generate new encryption keys or upload existing .PFX or .BYOK encryption key files.
- Lock and unlock tenant environments.WarningWhile a tenant is locked, all environments within the tenant can't be accessed by anyone. More information: Lock the tenant.
Understand the potential risk when you manage your keys
As with any business critical application, personnel within your organization who have administrative-level access must be trusted. Before you use the key management feature, you should understand the risk when you manage your database encryption keys. It is conceivable that a malicious administrator (a person who is granted or has gained administrator-level access with intent to harm an organization's security or business processes) working within your organization might use the manage keys feature to create a key and use it to lock all environments in the tenant.
Consider the following sequence of events.
The malicious administrator signs in to the Power Platform admin center, goes to the Environments tab and selects Manage encryption key. The malicious administrator then creates a new key with a password and downloads the encryption key to their local drive, and activates the new key. Now all the environment databases are encrypted with the new key. Next, the malicious administrator locks the tenant with the newly downloaded key, and then takes or deletes the downloaded encryption key.
These actions will result in disabling all the environments within the tenant from online access and make all database backups un-restorable.
Important
To prevent the malicious administrator from interrupting the business operations by locking the database, the managed keys feature doesn't allow tenant environments to be locked for 72 hours after the encryption key has changed or activated. Additionally, anytime an encryption key is changed for a tenant, all administrators receive an email message alerting them of the key change. This provides up to 72 hours for other administrators to roll back any unauthorized key changes.
Key management requirements
Privileges required
To use the manage keys feature you need one of the following privileges:
- Global admin membership.
- Office 365 Service administrators group membership.
- System administrator security role for the environment that you want to manage the encryption key.
Encryption key requirements
If you provide your own encryption key, your key must meet these requirements that are accepted by Azure Key Vault.
- The encryption key file format must be PFX or BYOK.
- 2048-bit RSA or RSA-HSM key type.
- PFX encryption key files must be password protected.
For more information about generating and transferring an HSM-protected key over the Internet see How to generate and transfer HSM-protected keys for Azure Key Vault.
Key management tasks
To simplify the key management tasks, the tasks are broken down into three areas:
Administrators can use the Power Platform admin center or the Microsoft.Xrm.OnlineManagementAPI PowerShell module cmdlets to perform the key management tasks described here.
Generate or upload the encryption key for a tenant
All encryption keys are stored in the Azure Key Vault, and there can only be one active key at any time. Since the active key is used to encrypt all the environments in the tenant, managing the encryption is operated at the tenant level. Once the key is activated, each individual environment can then be selected to use the key for encryption.
Use this procedure to set the manage key feature the first time for an environment or to change (or roll-over) an encryption key for an already self-managed tenant.
Warning
When you perform the steps described here for the first time you are opting in to self-managing your encryption keys. More information: Understand the potential risk when you manage your keys.
- Sign in to the Power Platform admin center.
- Select the Environments tab, and then select Manage encryption keys on the toolbar.
- Select Confirm to acknowledge the manage key risk.
- Select New key on the toolbar.
- On the left pane, complete the details to generate or upload a key:
- Select a Region. This option is only shown if your tenant has multiple regions.
- Enter a Key name.
- Choose from the following options:
- To create a new key, select Generate new (.pfx). More information: Generate a new key (.pfx).
- To use your own generated key, select Upload (.pfx or .byok). More information: Upload a key (.pfx or .byok).
- Select Next.
- Email notification is sent to all administrators. More information: Encryption key change notification.
Generate a new key (.pfx)
- Enter a password, and then re-enter the password to confirm.
- Select Create, and then select the created file notification on your browser.
- The encryption key .PFX file is downloaded to your web browser's default download folder. Save the file in a secure location (we recommend that this key is backed up along with its password).
To perform this task using PowerShell, see Get-CRMGenerateProtectionkey and Set-CrmTenantProtectionKey.
Upload a key (.pfx or .byok)
- Select Upload the Key, select the .pfx or .byok1 file, and then select Open.
- Enter the password for the key, and then select Create.
1 For .byok encryption key files, make sure you use the subscription id as shown on the screen when you export the encryption key from your local HSM. More information: How to generate and transfer HSM-protected keys for Azure Key Vault.
To perform this task using PowerShell, see New-CRMImportProtectionKey and Set-CrmTenantProtectionKey.
Note
To reduce the number of steps for the administrator to manage the key process, the key is automatically activated when it is uploaded the first time. All subsequent key uploads require an additional step to activate the key.
Activate an encryption key for a tenant
Once an encryption key is generated or uploaded for the tenant, it can be activated.
- Sign in to the Power Platform admin center.
- Select the Environments tab, and then select Manage encryption keys on the toolbar.
- Select Confirm to acknowledge the manage key risk.
- Select a key that has an Available state and then select Activate key on the toolbar.
- Select Confirm to acknowledge the key change and that all administrators will be notified.More information: Encryption key change notification
When you activate a key for the tenant, it takes a while for the key management service to activate the key. The status of the Key state displays the key as Installing when the new or uploaded key is activated.Once the key is activated, the following occurs:
- All encrypted environments automatically get encrypted with the active key (there is no downtime with this action).
- When activated, the encryption key will be applied to all environments that are changed from Microsoft-provided to self-managed encryption key.
To perform this task using PowerShell, see Set-CrmProtectWithTenantKey.
Important
To streamline the key management process so that all environments are managed by the same key, the active key can't be updated when there are locked environments. All locked environments must be unlocked before a new key can be activated. If there are locked environments that don't need to be unlocked, they must be deleted.
Note
After an encryption key is activated, you can't activate another key for 24 hours.
Manage encryption for an environment
By default, each environment is encrypted with the Microsoft-provided encryption key. Once an encryption key is activated for the tenant, administrators can elect to change the default encryption to use the activated encryption key. To use the activated key, follow these steps.
Satellite Encryption Keys
Apply encryption key to an environment
- Sign in to the Power Platform admin center.
- Select the Environments tab.
- Open a Microsoft-provided encrypted environment.
- Select See all.
- In the Environment Encryption section, select Manage.
- Select Confirm to acknowledge the manage key risk.
- Select Apply this key to accept changing the encryption to use the activated key.
- Select Confirm to acknowledge that you are managing the key directly and that there is downtime for this action.
Return a managed encryption key back to Microsoft-provided encryption key
Returning to the Microsoft-provided encryption key configures the environment back to the default behavior where Microsoft manages the encryption key for you.
- Sign in to the Power Platform admin center.
- Select the Environments tab, and then select an environment that is encrypted with a self-managed key.
- Select See all.
- In the Environment Encryption section, select Manage, and then select Confirm.
- Under Return to standard encryption management, select Return .
- For production environments, confirm the environment by entering the environment's name.
- Select Confirm to return to standard encryption key management.
To perform this task using PowerShell, see Set-CrmProtectWithMicrosoftKey.
Lock the tenant
How Are Encryption Keys Securely Generated Windows 10
Since there is only one active key per tenant, locking the encryption for the tenant disables all the environments that are in the tenant. All locked environments remain inaccessible to everyone, including Microsoft, until a Power Platform service admin in your organization unlocks it by using the key that was used to lock it.
Caution
You should never lock the tenant environments as part of your normal business process. When you lock a Common Data Service tenant, all the environments will be taken completely offline and they can't be accessed by anyone, including Microsoft. Additionally, services such as synchronization and maintenance are all stopped. If you decide to leave the service, locking the tenant can ensure that your online data is never accessed again by anyone.
Note the following about tenant environments locking:
Note the following about tenant environments locking:
- Locked environments can't be restored from backup.
- Locked environments are deleted if not unlocked after 28 days.
- You can't lock environments for 72 hours after an encryption key change.
- Locking a tenant locks all active environments within the tenant.
Important
- You must wait at least one hour after you lock active environments before you can unlock them.
- Once the lock process begins, all encryption keys with either an Active or Available state are deleted. The lock process can take up to an hour and during this time unlocking locked environments is not allowed.
- Sign into the Power Platform admin center.
- Select the Environments tab and then on the command bar select Manage encryption keys.
- Select the Active key and then select Lock active environments.
- On the right pane select Upload active key, browse to and select the key, enter the password, and then select Lock.
- When prompted, enter the text that is displayed on your screen to confirm that you want to lock all environments in the region, and then select Confirm.
Create Encryption Key
To lock a tenant using the PowerShell cmdlet, see Set-CrmLockTenantProtectedInstances.
Unlock locked environments
To unlock environments you must first upload and then activate the tenant encryption key with the same key that was used to lock the tenant. Please note that locked environments do not get unlocked automatically once the key has been activated. Each locked environment has to be unlocked individually.
Important
- You must wait at least one hour after you lock active environments before you can unlock them.
- The unlock process can take up to an hour. Once the key is unlocked, you can use the key to Manage encryption for an environment.
- You can't generate a new or upload an existing key until all locked environments are unlocked.
Unlock encryption key
- Sign into the Power Platform admin center.
- Select the Environments tab and then select Manage encryption keys.
- Select the key that has a Locked state, and then on the command bar select Unlock key.
- Select Upload locked key, browse to and select the key that was used to lock the tenant, enter the password, and then select Unlock.The key goes into an Installing state. You must wait until the key is in an Active state before you can unlock locked environments.
- To unlock an environment, see the next section.
How Are Encryption Keys Securely Generated Windows 7
Unlock environments
- Select the Environments tab, and then select the locked environment name.TipDon't select the row. Select the environment name.
- In the Details section, select See all to display the Details pane on the right.
- In the Environment encryption section on the Details pane select Manage.
- On the Environment encryption page select Unlock.
- Select Confirm to confirm that you want to unlock the environment.
- Repeat the previous steps to unlock additional environments.
To unlock an environment using the PowerShell cmdlet, see Set-CrmUnlockTenantProtectedInstance.
Environment database operations
A customer tenant can have environments that are encrypted using the Microsoft managed key and environments that are encrypted with the customer managed key. To maintain data integrity and data protection, the following controls are available when managing environment database operations.
- RestoreThe environment to overwrite (the restored to environment) is restricted to the same environment that the backup was taken from or to another environment that is encrypted with the same customer managed key.
- CopyThe environment to overwrite (the copied to environment) is restricted to another environment that is encrypted with the same customer managed key.NoteIf a Support Investigation environment was created to resolve support issue in a customer managed environment, the encryption key for the Support Investigation environment must be changed to customer managed key before the Copy environment operation can be performed.
- ResetThe environment's encrypted data will be deleted including backups. After the environment is reset, the environment encryption will revert back to the Microsoft managed key.
Encryption key change notification
Important
When an encryption key is activated or changed, all administrators receive an email message alerting them of the change. This provides a means to allow other administrators to verify and confirm that the key was updated by an authorized administrator. Since it takes time to activate the key and to encrypt all the environments, and to send out the email notification, an encryption key can only be updated once every 24 hours.
See also
Microsoft.Xrm.OnlineManagementAPI PowerShell reference
SQL Server: Transparent Data Encryption (TDE)
SQL Server: Transparent Data Encryption (TDE)