You may fail to backup log or restore log after TDE certification/key rotation

-

 When TDE is enabled, all the records written to transaction log files are encrypted as well. During the TDE certification/key rotation, these log records are not touched.

On changing certificate/keys, the current active VLF file, which is encrypted by old key, will be closed. New log records will be encrypted by new key and write to next available VLF or a new created VLF. At this stage, the transaction log file has both log records encrypted by old certificate, and the log records encrypted by new certificate.

When you do the log backup, the log records that have been encrypted by old certificate, may be decrypted and then encrypted by new certificate to the backup file, or just be flushed to the backup file without doing any decryption/encryption, depending on how you run the log backup.

This behavior may cause two different issues if the old certificate is removed.

1.When you do log backup with ‘COMPRESSION+MAXTRANSFERSIZE’ combination , SQL Server will decrypt records, which was encrypted by old certificate, then encrypt the data by new key and save to file.

If you remove the old key after certificate rotation before the log backup, the log backup fails with error 33111

Cannot find server %S_MSG with thumbprint ‘%.*ls’.

2.When you do regular log backup without ‘COMPRESSION+MAXTRANSFERSIZE’ combination , like : backup log dbName to disk=’xxx’.

SQL Server just grabs the data from transaction log and save to log backup file, it skip the decrypt and encryption. The backup log goes well regardless of the old certificate.

You may be not aware of that you have a log backup file that has two kind of data, data encrypted by old certificate and data encrypted by new certification.

If you trying to restore the log file, you need to make sure both certificates exist. Else error 33111 is raised.

So Backup certificate is always suggested. Restore the certificate if case you run into this issue.

Here is the reproduce step of first scenario:

1.Create database , and enable TDE by using the oldCertificate

create database dbName
go
use dbName
go
backup database dbName to disk='dbName.bak'
go
backup log dbName to disk='dbName.trn'
go

use master
go
create certificate oldCertificate with subject='oldCertificate'
go
create certificate newertificate with subject='newertificate'
go

USE dbName
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE oldCertificate;
GO
ALTER DATABASE dbName SET ENCRYPTION ON;

2.Populate some data into the database,

Use dbName
go
create table ta(id int)
go
insert ta 
select 1 from sys.columns

3.DMV sys.dm_db_log_info will show us the encryption thumbprint used by each VLF.(vlf_encryptor_thumbprint is added in SQL 2019)

use dbname
go
select vlf_encryptor_thumbprint,c.name, l.*From sys.dm_db_log_info(db_id()) l 
left join master.sys.certificates c on l.vlf_encryptor_thumbprint=c.thumbprint
image

4.Do the certification rotation

ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER CERTIFICATE newertificate

5.Check the encryption thumbprint. The new certificate is used in new VLF.

use master
go
select d.name as DbName,c.name as CertName from sys.dm_database_encryption_keys k 
inner join sys.databases d on k.database_id=d.database_id
inner join sys.certificates c on c.thumbprint=k.encryptor_thumbprint
image

6.At this stage, the transaction log file has both log records encrypted by old certificate, and the log records encrypted by new certificate.

use dbname
go
select vlf_encryptor_thumbprint,c.name, l.*From sys.dm_db_log_info(db_id()) l 
left join master.sys.certificates c on l.vlf_encryptor_thumbprint=c.thumbprint

7.Delete the old certificate

Use master
drop certificate oldCertificate

8.Take log backup

BACKUP log dbname TO DISK = 'dbName_AfterRotation.trn' 
WITH COMPRESSION, MAXTRANSFERSIZE = 1048576

image

Here is the reproduce step of second scenario:

Here is a reproduce step of second scenario(step 1~5 are same to steps in the first scenario):

1.Create database , and enable TDE by using the oldCertificate

create database dbName
go
use dbName
go
backup database dbName to disk='dbName.bak'
backup log dbName to disk='dbName.trn'
go

use master
go
create certificate oldCertificate with subject='oldCertificate'
create certificate newertificate with subject='newertificate'
go

USE dbName
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE oldCertificate;
GO

ALTER DATABASE dbName
SET ENCRYPTION ON;

go

2.Populate some data into the database,

Use dbName
go
create table ta(id int)
insert ta 
select 1 from sys.columns

3.DMV sys.dm_db_log_info will show us the encryption thumbprint used by each VLF.(vlf_encryptor_thumbprint is added in SQL 2019)

use dbname
go
select vlf_encryptor_thumbprint,c.name, l.*From sys.dm_db_log_info(db_id()) l 
left join master.sys.certificates c on l.vlf_encryptor_thumbprint=c.thumbprint

4.Do the certification rotation

ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER CERTIFICATE newertificate

5.Check the encryption thumbprint. The new certificate is used in new VLF.

use master
go
select d.name as DbName,c.name as CertName from sys.dm_database_encryption_keys k 
inner join sys.databases d on k.database_id=d.database_id
inner join sys.certificates c on c.thumbprint=k.encryptor_thumbprint

6.Delete the old certificate

Use master
drop certificate oldCertificate

5.Take database backup

BACKUP database dbname to disk='dbname_AfterRotatin.bak'

6.Take log backup.

BACKUP log dbname TO DISK = 'dbName_AfterRotation1.trn'

Let’s try to restore the database backup and log backup to a new server with the new certificate.(or restore the backup in the same instance)

Restore database dbname from disk='dbname_AfterRotatin.bak' with norecovery
Restore log dbname from disk='dbname_AfterRotatin1.trn' with norecovery

The restore log will fail with 33111 error.

This is the related KB https://support.microsoft.com/en-us/help/4534430/fail-to-backup-transaction-log-after-tde-certificate-key-rotation

Comments

Post a Comment

popular posts

SQL Server Polybase in Failover cluster instance

-
Image
Since SQL Server 2017, you can install Polybase in SQL Server Failover cluster instance. SQL Server Polybase Dms and SQL Server Polybase Engine are created in Failover cluster, mapping to SQL Server Polybase Data Movement and SQL Server Engine respectively.     And following two registers keys are created in all the nodes. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLPBENGINE$InstanceName Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLPBDMS$SQL19     Here are some cases that cause SQL Server Polybase engine fail to start. 1.TCP/IP Protocol is disabled. 2.Polybase engine service fail to connect SQL Server instance. 3.Polybase engine service account does not have permission to access database [DWConfiguration],[DWDiagnostics] and [DWQueue] 4.T he   SQL Server Polybase engine Roles does not exist in Failover cluster. 1)In this case, you need to manually add the role back to failover cluster...
Read more

Tutorial: Create SQL Cluster(FCI) on RHEL

-
Image
  In the Windows world, SQL Server integrates into Windows Server Failover Cluster (WSFC) natively, and we have a dedicated installation for SQL Server Cluster. However, on Linux, you need to install standalone SQL Server instance in the nodes first, and then configure the instance as a SQL Server cluster instance. I use SQL Server 2019 with RHEL 8.x in this tutorial, but it is possible to use SQL Server 2017 in RHEL 7.x or RHEL 8 to configure FCI. Here is the step by step  Video   Topology           1.ISCSI target server configuration   1. The two highlighted two disks will be the used as Shared Storage.     sdc is for the database files in /var/opt/mssql/data sdd is for the user databases files. If all your databases are stored /var/opt/mssql/data, feel free to  ignore all the steps link to device sdd.   2.Run fdisk to create partition. fdisk /dev/sdc fdisk /dev/sdd ...
Read more

Configure multiple-subnet Always On Availability Groups and failover cluster instances by modifying CIB

-
Image
In the Windows world, a Windows Server Failover Cluster (WSFC) natively supports multiple subnets and handles multiple IP addresses via an OR dependency on the IP address. On Linux, there is no OR dependency, but there is a way to achieve a proper multi-subnet natively with Pacemaker, as shown by the following. You cannot do this by simply using the normal Pacemaker command line to modify a resource. You need to modify the cluster information base (CIB). The CIB is an XML file with the Pacemaker configuration. Reference: https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-configure-multiple-subnet?view=sql-server-ver15 Here is an example to create a SQL Server Linux Availability group in 4 nodes in 3 subnets in RHEL 7.6   If you are already familiar with the AG Group setup process, please just jump to step 16. 1.Register your subscription on for all servers (red1,red2,red3 and red4 in this case) subscription-manager register   2.List all available subsc...
Read more

Realcase: Failed to upgrade SQL Server 2016 SP2 CU11. (Installation success or error status: 1648)

-
Image
  One of my customer failed to upgrade SQL Server 2016 SP2 CU11. Here is the troubleshooting steps 1.Check SQL Server setup log(C:\Program Files\Microsoft SQL Server\130\Setup Bootstrap\Log\) Detailed results: Feature: Database Engine Services Status: Failed: see logs for details Reason for failure: An error occurred for a dependency of the feature causing the setup process for the feature to fail. Next Step: Use the following information to resolve the error, and then try the setup process again. Component name: SQL Server Common Files Component error code: 1648 Component log file: C:\Program Files\Microsoft SQL Server\130\Setup Bootstrap\Log\20191217_193009\SQLAG\sql_common_core_Cpu64_1.log Error description: No valid sequence could be found for the set of updates. Error help link: http://go.microsoft.com/fwlink?LinkId=20476...
Read more

How to find SQL Server Replication related jobs and T-SQL statements

-
Image
Verbose log is heavily used   in replication troubleshooting. You need to find the right job to enable to verbose log. However, it's not easy to find the   jobs when you have hundreds replication jobs in one server.     Here is how: 1.Distribution agent Following queries list all the distribution agent jobs, including push subscriptions and pull subscriptions. (You may need add more clause to customize your queries). By default, the SQL Server agent job names equal to the agent names for push subscription, unless you explicitly modify the job names. use distribution---in distributor server if not exists(select 1 from sys.tables where name ='MSreplservers') begin select job.name JobName,a.name AgentName, a.publisher_db,a.publication as publicationName,sp.name as publisherName ,ss.name as subscriber,a.subscriber_db, a.local_job From MSdistribution_agents a inner join sys.servers sp on a.publisher_id=sp.server_id--publisher inner join sys.servers ss...
Read more

SQL Server Extents, PFS, GAM, SGAM and IAM and related corruptions

-
Image
  I’m going to start a series of posts talking about SQL Server allocation pages and corruption. Each post will have samples showing how SQL Server use these pages and scenarios of corruption. The first post will talk about the Extents, PFS, GAM, SGAM and IAM and related corruptions, you can find all concepts from following two pages: Pages and Extents Architecture Guide Under the covers: GAM, SGAM, and PFS pages   As there are many concepts and samples, I’m going to discuss the topics in two or three posts.   1.Extents Extents are the basic unit in which space is managed. An extent is eight physically contiguous pages, or 64 KB. This means SQL Server databases have 16 extents per megabyte. SQL Server has two types of extents: ·          Uniform  extents are owned by a single object; all eight pages in the extent can only be used by the owning object. ·          Mixe...
Read more

Tutorial: Add a node to SQL cluster on RHEL

-
Image
  In t his video , I demonstrated how to create a two nodes SQL Cluster instance.   I’m going to show you how to add another node to existing SQL Cluster.   Topology   1.ISCSI target server configuration   1.Add the new node (node3) to the ACLs list. This is the existing setting.     Here are the commands I used.   2. Enable and restart the target service. systemctl enable target.service systemctl restart target.service   2.ISCSI initiator configuration.   Configure ISCSI initiator in the new node (node3)   1.Install iscsi-initiator-utils   in all nodes. sudo yum install iscsi-initiator-utils -y   2.Edit the /etc/iscsi/initiatorname.iscsi , replace the existing value with following keywords, the one I used in step 4 of section[ISCSI target server configuration] InitiatorName=iqn.2020-08.com.contoso:node3             3.Discov...
Read more

SQL Server GAM corruption samples

-
Image
In previous post , we discussed the PFS, GAM and SGAM pages. Today, I’m going show you two related corruptions on these pages.   SQL Server checks the bit in PFS, GAM, SGAM and IAM are checked when new pages are allocated. It guarantees that it does not store data to a wrong page/extent. These pages are crucial to SQL Server, SQL Server considers it as a corruption if they are messed up. I’m going to use the same database I used in previous article . You may restore the   backup  f ile and give it a try. Please note, restoring database will consume some pages and change the PFS, GAM, SGAM and IAM. You may get a different view from my mine.   Let me show you some of the content of GAM and SGAM before the corruption samples. Here are the GAM and SGAM page result: 1.GAM 2.SGAM 3.We can tell that the extent of page(1:352) and extents greater than that have not been allocated. 4.Let’s take a dive into the GAM page. 5.‘ 00000000 00f0 ’ inter...
Read more

Password is required when adding a database to AG group if the database has a master key

-
Image
Moved this post from my old blog.   When you are trying add a database having a ‘master key’ to a AG group, you will see the message in SSMS. You can’t move to next step until you put the correct password of the ‘master key’. This is an requirement of SSMS to help you manage SQL Server database master key password in secondary replicas. Why we have this requirement? When a master key is created, it’s encrypted by both password and service master key. create MASTER KEY ENCRYPTION BY PASSWORD = ‘Password1’; This master key will be open automatically when it’s need for decryption or encryption. In this case, it is not necessary to use the ‘OPEN Master Key’ T-SQL statement. However, when a database is first attached or restored to a  new  instance of SQL Server, a copy of the database master key (encrypted by the service master key) is not yet stored in the server. You must use the  OPEN MASTER KEY  statement to decrypt the database master key (DMK). Once the DMK ha...
Read more