66121: DeviceLock DLP: DeviceLock Enterprise Server database encryption

use Google Translate

Applies to: 

Last update: Tue, 2020-11-17 09:51

Description

DeviceLock Enterprise Server performs DeviceLock database encryption since version 8.1.63827.

Comments

Starting from version 8.1.63827 DeviceLock Enterprise Server performs encryption of the main DeviceLock database tables during the creation of a new database or when upgrading to a new version of the DeviceLock Enterprise Server. It is still possible to access data stored in DeviceLock database via the DeviceLock Management Console (and DeviceLock Web Console).

Instructions

To gain access to encrypted database information you need to apply a special license file DeviceLock Enterprise Server Database Access license (dldb.lic).

The Database Access license file can be loaded into DeviceLock Enterprise Server using the DeviceLock Management Console:

  • run DeviceLock Management Console
  • connect to an instance of DeviceLock Enterprise Server
  • go to the Server Options section
  • select DeviceLock license(s)-> Properties -> Load License(s)-> OK.

Upon each start (or during license file activation via DeviceLock Management Console) DeviceLock Enterprise Server checks license status, and if Database Access license is found, a corresponding record into the Server Log Viewer will be added.

In order to retrieve unencrypted information from the DeviceLock database via 3rd party tools, the following SQL query must be executed:

OPEN SYMMETRIC KEY DLKey DECRYPTION BY CERTIFICATE DLCertificate

This query must be executed for each new session. When a valid Database Access license is installed, the query will return the following string as result:

"Command(s) completed successfully."

This message indicates SQL queries can be performed and unencrypted information will be returned in response.*

If the current user does not have SQL Server Administrator privileges ('sa'), then you need to provide it with the following rights:

GRANT CONTROL ON SYMMETRIC KEY:: DLKey TO < USER >;

GRANT CONTROL ON CERTIFICATE::DLCertificate TO < USER >;

GO

If no valid license is found during DeviceLock Enterprise Server startup, the result of the previous query would be:

"Please create a master key in the database or open the master key in the session before performing this operation."

and all SQL queries will return NULL for encrypted database information.

Using several DeviceLock Enterprise Servers with one database

When using several DeviceLock Enterprise Server instances with one database, the Database Access license must be applied on each of the servers. This is critical when implementing the Many-to-Many or Many-to-One DeviceLock Enterprise Server models as mentioned in the DeviceLock Web Help in the Installing DeviceLock Enterprise Server chapter.

Upgrade

During an upgrade of DeviceLock Enterprise Server, the database will automatically be upgraded to the new version. The process may take more time than in previous versions because of the encryption process.

The update process is performed in passive mode. In cases where the update process takes more than 1 minute, the following message will appear in status window:

Upgrading the database…

Please wait while DeviceLock Enterprise Server is upgrading the "database_name" database.

The database upgrade is performing in the background so you can close this wizard. Do not power off or reboot the DeviceLock or SQL Server during this process."Installation will be successfully completed, but attempting to connect to the DeviceLock Enterprise Server during the database upgrade process will be unsuccessful and the following dialog window will appear: "The DeviceLock Enterprise Server database is upgrading.Please wait until the database is finished performing upgrade and connect again later."

Unfortunately, it's not possible to predict when exactly the upgrade process would be completed. Connectivity to DeviceLock Enterprise Server will be restored as soon as the upgrade process completes. DeviceLock will enter a record about the successful database upgrade into the Server Log upon completion.

Due to implementation of DeviceLock database encryption, SQL Server 2000 and MSDE/MSEE are no longer supported. Creation of a new database, or upgrading the existing one running on this version of SQL Server, will fail with the following error message: "This version of MS SQL Server is not supported by DeviceLock Enterprise Server."