| Author |
Topic |
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
 Posted - 2005-08-02 : 21:15:57
|
| Has anyone used the encrypted file system for database files? I haven't heard of anyone using EFS for anything, let alone database files.One of our security dorks has suggested that this is the way to go. I have a feeling that this is a really bad idea, just another thing that can go wrong and cause a major problem. I'm not in the mood to find out what can go wrong either.CODO ERGO SUM |
|
|
timmy
Master Smack Fu Yak Hacker
1242 Posts |
Posted - 2005-08-02 : 21:29:34
|
| Isn't that what NT security is for anyway??I hate to think what the response times would be like with another layer of security on top of what's there..... |
 |
|
|
Thrasymachus
Constraint Violating Yak Guru
483 Posts |
Posted - 2005-08-03 : 13:37:33
|
| Something in the back of my feeble little brain says there is something really bad that can happen if the sql service password ever changes.====================================================Regards,Sean RoussyGENERAL ADVICE FOR EVERYONE: Please backup all of your databases including master, msdb and model on a regular basis. I am tired of telling people they are screwed. The job you save may be your own. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2005-08-03 : 15:27:29
|
| Presumably a fairly major "hit" whenever a block is written to the file too??Kristen |
|
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2005-08-03 : 15:54:44
|
| I agree on all the comments.Has anyone here actually used EFS? I have seen a lot of rah, rah articles saying how great it is, but I can't seem to find anyone who has actually used it. My feeling is that there are few, if any, people using EFS, and I am not anxious to get involved with little used, unproven technology.CODO ERGO SUM |
|
|
|
MichaelP
Jedi Yak
2489 Posts |
Posted - 2005-08-03 : 17:37:28
|
| I've never used it, but I bet that it would be slow as heck.I also suspect that if you had any issue with that drive, getting the data off there would be nearly impossible.I think I'd approach security in a different way other than EFS. Microsoft isn't exactly known for security and performance.Michael<Yoda>Use the Search page you must. Find the answer you will. Cursors, path to the Dark Side they are. Avoid them, you must. Use Order By NewID() to get a random record you will.</Yoda> |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2005-08-03 : 22:23:27
|
| our chief tech officer wants to encrypt the db files too, and i have this really really bad feeling about it...anyone done this before?--------------------keeping it simple... |
|
|
|
eyechart
Master Smack Fu Yak Hacker
3575 Posts |
Posted - 2005-08-03 : 23:00:05
|
| seems to me that using EFS would mung up your typical recovery processes. No more easy sp_detach_db/attach_db for moving databases around. I guess that is the point though.here is an article on using EFS with SQL (written with win2k in mind, not win2k3 though) http://www.sqlservercentral.com/columnists/bkelley/implementing_efs.aspI personally think it would be easier to manage access to your SQL Server and it's filesystems then to encrypt them.-ec |
|
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2005-08-03 : 23:26:42
|
I've seen plenty of how-to articles.What I don't see is someone talking about how they have been using EFS for years and are really happy with it. I never see any questions posted here about how someone has problems with their EFS database files. I haven't seen anyone on this thread say, "Yes, we're using EFS." I searched this site and didn’t find a single question posted about EFS.All this leads me to believe that there are very few real-world installations using EFS.I think I'll tell the security dorks to forget EFS, and go design another 20-layer security architecture that looks great on paper that no one will ever implement.quote:
Originally posted by eyechart
seems to me that using EFS would mung up your typical recovery processes. No more easy sp_detach_db/attach_db for moving databases around. I guess that is the point though.here is an article on using EFS with SQL (written with win2k in mind, not win2k3 though) http://www.sqlservercentral.com/columnists/bkelley/implementing_efs.aspI personally think it would be easier to manage access to your SQL Server and it's filesystems then to encrypt them.-ec
CODO ERGO SUM |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2005-08-03 : 23:47:58
|
| thanks eyechart, that was really informativei noted that the security issue is physical access to the server- to allow copy of data files, they must not be in use if a user will try to copy these files, they won't be able to but if he can stop and start the services, then he might - but if you've physically secured the servers, they won't be able to just do that,unless it's an inside thingfor other users, it's practically impossible to copy those files unless you have some copies lying around, in which case, a clean up would be the next step |
|
|
|
eyechart
Master Smack Fu Yak Hacker
3575 Posts |
Posted - 2005-08-04 : 00:05:46
|
| I also found this link which details the performance penalty when using EFS with SQL Server.http://www.chriskempster.com/articles/Encrypted%20File%20System%20-%20simple%20speed%20check.docI have never heard of anyone using EFS with SQL before either. Interestingly, it is listed as an optional item in Microsoft's SQL Server security checklist http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/CL_SecDBSe.aspThat probably isn't a document you want to bring up with that crowd though ;)-ec |
|
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2005-08-04 : 07:07:10
|
They've already seem it. That's why they think they're experts now.quote:
Originally posted by eyechart...That probably isn't a document you want to bring up with that crowd though ;)...
CODO ERGO SUM |
|
|
|
|
Encrypted File System