Containers continue to make their way into enterprise use, all this article studies how a Fortune 500 financial services firm is applying SQL Server containers in an enterprise Extensible Key Management system for encryption, with secure consumption of encrypted credentials in some secrets store. Full disclosure, I am a principal at Windocks, a provider of an independent port of Docker’s source to Windows, which is a general purpose database cloning solution. The approach outlined here can be applied to both Windocks SQL Server containers and Microsoft’s SQL Server containers.
This looks at a 500 GB SQL Server TDE enabled database, served comprising a SQL Server database clone. Clones deliver full read/write operations within minutes, and use only 40 MB of storage. Clones excellent supporting development, QA, as well as reporting and BI, along with the approach outlined today runs on any public cloud or private infrastructure.
SQL Server TDE Enabled Database Clones
SQL Server cloned environments contain a single database or a lot of databases, many of which may be encrypted a few not. The cloned environment is made with appropriate user/group permissions and includes data masking and additional preparations throughout the image build. Only one full byte copy was made as a parent image, and that’s cloned and delivered within minutes. Database clones depend on Windows Virtual Drives, either locally or on SMB or NFS network attached file shares.
As soon as we restore an encrypted backup or mount a TDE enabled database with the idea to Windocks SQL Server containers or Docker SQL Server containers, we come across SQL Server error 15581, “create or restore the Master Encryption Key prior to performing this operation.” So that they can work with a TDE enabled database image, the containers are enabled together with the Master Encryption Key prior to when mounting the TDE enabled database.
Identical process may very well be supported by using Pure Storage or even Storage Arrays (SANs), by automating the delivery for a SAN snapshot. They can be a popular approach and doesn’t have an effect on workflow described below. We’ll explore how containers suggest to a new method to working with SANs in an exceedingly future article.
SQL Server Containers With TDE Encryption
Windocks SQL Server containers were created by cloning a lot installed SQL Server instance, and inherit parents instance Master database configuration including the Master Encryption Certificates. The most recent container necessitates Master Encryption Certificate be refreshed, to take care of the SQL error 15581 remarked above. We do this by using the following SQL script.
The crucial element to making this work is the script has to be run right before mounting the encrypted databases. Windocks supports domination of SQL script operations by applying file extensions. Scripts with .sqlsys extensions are run in advance of mounting the databases, while .sql scripts are pursuit databases are mounted. This permits the Master Encryption Certificate that should be regenerated prior to attempting accomodate the TDE enabled database.
The full process is accomplished which also has a dockerfile. Step 1 might be the >docker build is submitted mainly because of the client, additionally the container is provisioned (Step 2). Then, the TDE.sqlsys script is run (Step 3), and the cloned database environment is mounted (The pictures).
In practice, most operate with a clonable database image, and therefore the dockerfile captures these types of steps in two lines. The particular name, tdeclone_1_30, specifies the SQL Server version, and cloned databases that need be mounted. These clones works extremely well with any SQL Server application environment (Docker SQL containers and conventional instances).
Supporting Secure Credentials Inside a EKM System
Extensible Key Management is usual in financial service organizations that be based upon Vormetric and other encryption systems for enterprise-wide solutions. The systems involve the usage VM level credentials, and also advent of short-lived containers raises the question: “How will a team use credentials securely during container provisioning?”
For almost any involves an encrypted key store and environment variables. Windocks supports encrypted secrets which are decrypted for use from the Windocks service. Each secret’s stored and referenced by having an environment variable:
SQL_RUN_AS_PASSWORD1=”encrypted_password”
Having the EKM user credentials encrypted, they might be used securely in building containers. File extensions are widely used to recognize scripts that incorporate user credentials, if you plan .sqlsysrunas or .sqlrunas.
Conclusions and Next Steps:
Combining SQL Server containers with database cloning provides fast delivery of complete environments, for development, QA, reporting, and BI. A good environment accompanied by a Terabyte class database is delivered in roughly 45 seconds as well as being an ideal on-ramp for developer self-service in conjunction with a significant start toward modernizing full stack software development. The processes outlined in this post are an effective addition to every enterprise infrastructure it really is the logical starting place for modernization workflows involving SQL Server.
Information highlights how containers are usually now being adapted to pay enterprise needs, for example the secure like encrypted secrets, and sequential therapy of container build operations. Windocks is the general purpose SQL Server cloning tool with support specifically with Windocks containers, or Microsoft’s official Docker SQL containers and conventional instances.