T-SQL shortcuts and tips
The following T-SQL queries provide assistance or alternative methods to perform some of the examples shown in this document.
Creating a database
To create a database called TestDatabase
.
USE master
GO
CREATE DATABASE TestDatabase;
GO
Creating a table
To create the following example table called TestTable
within a previously created TestDatabase
.
USE TestDatabase
GO
CREATE TABLE TestTable (FirstName varchar(MAX), LastName varchar(MAX),
NationalIdNumber varbinary(MAX), EncryptedNationalIdNumber varbinary(MAX),
DecryptedNationalIdNumber varbinary(MAX));
GO
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('Jack', 'Shepard', 156587454525658);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('John', 'Locke', 2365232154589565);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('Kate', 'Austin', 332652021154256);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('James', 'Ford', 465885875456985);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('Ben', 'Linus', 5236566698545856);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('Desmond', 'Hume', 6202366652125898);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('Daniel', 'Faraday', 7202225698785652);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('Sayid', 'Jarrah', 8365587412148741);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('Richard', 'Alpert', 2365698652321459);
INSERT INTO TestTable (FirstName, LastName, NationalIdNumber) VALUES ('Jacob', 'Smith', 12545254587850);
GO
Viewing a table
To view the previously created TestTable
:
SELECT TOP 10 [FirstName]
,[LastName]
,[NationalIDNumber]
,[EncryptedNationalIdNumber]
,[DecryptedNationalIdNumber]
FROM [TestDatabase].[dbo].[TestTable]
To view the previously created TestTable
with the NationalIDNumber
in the original decimal form:
SELECT TOP 10 [FirstName]
,[LastName]
,CAST(NationalIdNumber AS decimal(16,0)) AS [NationalIDNumber]
,[EncryptedNationalIdNumber]
,[DecryptedNationalIdNumber]
FROM [TestDatabase].[dbo].[TestTable]
To view the previously created TestTable
with the NationalIDNumber
in the original decimal form, and also show the NationalIdNumber
in VarBinary
form:
SELECT TOP 10 [FirstName]
,[LastName]
,CAST(NationalIdNumber AS decimal(16,0)) AS [NationalIDNumber]
,(NationalIdNumber) AS VarBinNationalIdNumber
,[EncryptedNationalIdNumber]
,[DecryptedNationalIdNumber]
FROM [TestDatabase].[dbo].[TestTable]
Making a database backup
To make a database backup:
USE TestDatabase;
GO
BACKUP DATABASE TestDatabase
TO DISK = '<Drive>:\<Backup_directory>\TestDatabase_SomeState.bak'
WITH NOFORMAT,
INIT,
NAME = 'TestDatabase_SomeState Backup',
SKIP,
NOREWIND,
NOUNLOAD,
STATS = 10
GO
Where: <Drive>:\<Backup_directory>
is the path to the directory to store the backup.
Adding a credential
The following query will add a credential to the database:
CREATE CREDENTIAL <credential name> WITH IDENTITY = '<protection domain id>',
SECRET = '<protection domain passphrase>' FOR CRYPTOGRAPHIC PROVIDER <provider name>;
ALTER LOGIN "<domain>\<login name>" ADD CREDENTIAL <credential name>;
Where
-
<credential name>
is the name you wish to provide for the credential. -
<protection domain id>
matches the id of the protection domain. -
<protection domain passphrase>
matches the passphrase of the protection domain. -
<provider name>
is the name of the provider you are using. -
<domain>
is the relevant login domain. -
<login name>
is the relevant login name (to the database host).
Removing a credential
To remove a credential from the database:
ALTER LOGIN "<domain>\<login name>" DROP CREDENTIAL <credential name>;
DROP CREDENTIAL <credential name>;
Creating a TDEDEK
To create a TDEDEK using TestDatabase
and dbAsymWrappingKey
as an example:
USE TestDatabase; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER ASYMMETRIC KEY dbAsymWrappingKey; GO
Removing a TDEDEK
To remove a TDEDEK using TestDatabase
as an example:
USE TestDatabase
DROP DATABASE ENCRYPTION KEY;
Switching on TDE
To switch on TDE using TestDatabase
as an example:
ALTER DATABASE TestDatabase SET ENCRYPTION ON;
Switching off TDE
To switch off TDE using TestDatabase
as an example:
ALTER DATABASE TestDatabase SET ENCRYPTION OFF;
Dropping a provider
To drop an existing provider:
DROP CRYPTOGRAPHIC PROVIDER <provider name>
Where
-
<provider name>
is the name of an existing provider.
Disabling existing providers
To disable all existing providers:
sp_configure 'show advanced options', 1; RECONFIGURE;
GO
sp_configure 'EKM provider enabled', 0; RECONFIGURE;
GO
Checking encryption state
To check the encryption state of your databases:
SELECT DB_NAME(e.database_id) AS DatabaseName, e.database_id, e.encryption_state, CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc, c.name, e.percent_complete FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint