Security for Virtual server and SQL DB

Hi All,

We have a virtual MS server with SQL Database on it. What is the best way to encrypt the virtual server vmdk files and if there is a way to encrypt the database files?

What is the best way to encrypt the whole virtual server to just the database/log files?

How are you securing your database and if you have encrypted the VMware server as well?

Please let me
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
To secure your VMs, it’s necessary to first secure the physical host machine they run on. It has long been known in the security industry that while you can do a lot to secure an OS, much of that security fails if someone gains physical access to the box the OS runs on. With physical access, an intruder can bypass the OS security controls by booting to an alternative OS or simply by mounting the VM’s hard drives and mapping them to a drive letter on the host machine.

Going into SQL Server 2008/2012, it comes equipped with transparent data encryption (TDE) and extensible key management (EKM) to make encryption and key management using a third-party key manager easier than ever. See the best practice list in MS Blog

Specifically taking "Consolidating Databases Using Virtualization Planning Guide" in that link, see the section on security pg 12, it stated virtualisation consolidation require this
-Equivalent to having a dedicated physical machine
-Isolation of local Windows accounts
-Isolation of SQL Server logins
-Isolation of SQL Server binaries
-Data protection through Windows BitLocker drive encryption
-Data protection through Windows Encrypting File System (EFS)
-Data protection through Microsoft SQL Server Transparent Data Encryption (TDE)
-Data protection through Windows permissions
-Data protection through SQL Server granular encryption
-Data protection through SQL Server granular permissions
-Auditing of actions with SQL Server Audit

Probably you be more interested into the SQL Server Encryption, the link has an overview

For more details in Database Encryption in SQL Server 2008 Enterprise Edition, see below

Coming back to VMWare, it also has a list of best practice and specifically for Database, check this out @

Many customers approach virtual database consolidation by doing a Physical to Virtual (P2V) conversion of each of their physical servers. What’s important to note is that the new virtual machine contains the entire isolated software stack that was on the physical server, so there is no reduction in resource isolation from a Windows or SQL Server perspective. There is no need to re-architect the security model within the new
Windows guest operating system..

With the scale-out approach, you deploy fewer SQL instances per VM and customize the configuration as needed. The usual drawbacks to a scale-out approach that you encounter in a physical infrastructure, such as server sprawl and high TCO, are minimized when you deploy a virtual infrastructure. Not only does this approach
provide better workload and security isolation, it also allows easier maintenance and change management because of the increased granularity of deploying fewer SQL instances per VM.

Overall practice list -

I know this is going to be too lengthy but simply see it as protect the guest vm as per norm and for the VM files they are treated like any file and should be encrypted too. But unlikely you have the DB shut off as it is likely to be running as compared to those normal workstation...specifically VMWare has limitation using their encryption, see

The encryption feature has certain limitations.
¦You must power off a virtual machine before you add or remove encryption or change the encryption password.
¦The encryption feature supports virtual machines that have virtual hardware version 5.x or later only.
¦You cannot create a linked clone from an encrypted virtual machine.
¦If more than one unencrypted virtual machine shares the same virtual disk and you encrypt one of the virtual machines, the virtual disk becomes unusable for the unencrypted virtual machine.
¦You cannot encrypt a shared or remote virtual machine.
¦You cannot upload an encrypted virtual machine to a remote server.
¦You cannot share an encrypted virtual machine.

Currently with vSphere there is no native encryption of .vmdk files, but .vmdk file encryption was introduced in the Workstation 7 release so it may eventually make it to vSphere. Instead you may consider
- Protect sensitive data at the operating system or application layer if possible (as in what we mentioned in the SQL encryption and OS encryption)
- Restrict access inside vCenter Server to privileges that allow file operations of the host datastores. You don't have to take away the Browse Datastore privilege from a user role; you can allow that, but take away the Low Level File Operations which prevents downloading, copying and renaming of files. Resist granting full access inside vCenter Server to users; utilize custom roles to tailor the access to exactly what is required.
- Unfortunately there is no auditing or logging built in to vCenter Server or ESX that will alert you to file operations using the vSphere client. You might consider implementing a single point of entry application like the HyTrust Appliance that can provide very granular access control and a centralized logging facility for all your hosts.
- Limit access to the ESX service console to people that absolutely need it, you can use sudo to further limit what someone can access and execute inside the service console. For most normal operations there is no need to access the service console as everything can be done using the vSphere Client instead.

Below is some quick summary if the overall has been too overwhelming :

VMware can be configured to encrypt vmx not going to answer all
Encrypt VMware VM running Windows 2008 R2 with Microsoft Bitlocker

Check out this article for overall VMWare hardening which set the baseline before venturing into the MS SQL aspects

Quick tips for the DB

Since SQL Server 2008 Microsoft has supported automatic encryption with TDE and cell level encryption for Enterprise Edition users and above. Without any programming you can encrypt the SQL Server database or an individual column, and store the keys on an encryption key management HSM.

If you have an older version of SQL Server, or you have SQL Server Standard Edition or Web Edition, you don’t have access to TDE. But you can still automate encryption:
Through the strategic use of SQL Views and Triggers, you can automate encryption of sensitive data on your SQL Server without extensive program modifications, and still use a secure key management HSM to protect the encryption keys.

Your developers might have written custom application code to implement your SQL Server database. But SQL Server encryption and key management is still within your reach. A good key management vendor should supply you with software libraries that easily add into your applications and implement SQL Server encryption.

You might have a SQL Server database, but not be using Microsoft programming languages. Perhaps your applications are written in Java, Perl, or PHP. Again, it is simple to deploy software libraries that encrypt the SQL Server data and which store the encryption keys on a key server HSM.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Please consider doing this: you could encrypt the whole virtual server using bitlocker. We do this on VMware guests. The key is fetched automatically via network from a machine that is physically secured. So if the vmhost got stolen, we would not have to worry.
skyjumperdudeAuthor Commented:
Hi breadtan,

Thank you so much for the great information. I have a question. We have a one table within a  database which is encrypted using hashing. If we use Microsoft TDE, will it work. So we will have encryption within encryption. How is the affect going to be?

Please let me know.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

btanExec ConsultantCommented:
Hashing is not encryption. ..more of obfuscation in one way hash. TDE is transparent data encryption which encrypts the db on the fly with symmetric key loaded, note it is not at cell level. Good to read on in MS Site
No opinion on my suggestion? It is simple and straight forward.
skyjumperdudeAuthor Commented:
Our DBA is worried that if we implement TDE and at enable cell level encryption, there might be performance issues and our web apps will be running slow. On top of this, from backup and restore point, will this make it hard to restore at the object level. There are backup solutions out there which gives you the ability to perform restore at the object level and our DBA things that onces we have the encryption, those tools might not be able to do the object level restore.

Please let me know for the performance level and the backup/restore.
btanExec ConsultantCommented:
It is valid concern indeed, but what about in event the db is lost ...of course I am being paranoid but insider threat go beyond and superadmin can be mitigated if set in deternece such as log audit and 2fa authentication, least privileges.

Also performance wise pls see this. Write operations incurred higher cost. Note compression is not available using tde hence overall expect lower than usual ...log shipping etc further challenges it

In general, TDE and cell-level encryption accomplish two different objectives. If the amount of data that must be encrypted is very small or if the application can be custom designed to use it (or if the application has custom design requirements) and performance is not a concern, cell-level encryption is recommended over TDE. Otherwise, TDE is recommended for encrypting existing applications or for performance sensitive applications.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.