DeviceLock Enterprise Server database encryption
DeviceLock Enterprise Server performs DeviceLock database encryption since version 8.1.63827.
Starting from version 8.1.63827 DeviceLock Enterprise Server performs encryption of the main DeviceLock database tables during the creation of a new database or when upgrading to a new version of the DeviceLock Enterprise Server. It is still possible to access data stored in DeviceLock database via the DeviceLock Management Console (and DeviceLock Web Console).
To gain access to encrypted database information you need to apply a special license file 'DeviceLock Enterprise Server Database Access license'.
The Database Access license file can be loaded into DeviceLock Enterprise Server using the DeviceLock Management Console:
- Run DeviceLock Management Console;
- Connect to an instance of DeviceLock Enterprise Server;
- Go to the ‘Server Options’ section;
- Select ‘DeviceLock license(s)’--> Properties -> Load License(s)-> OK.
- Restart DL Server service.
Alternatively, the license file can be activated by copying it into DeviceLock Enterprise server installation directory ('C:\Program Files(x86)\DeviceLock', by default) and restarting DeviceLock Enterprise Server service.
Upon each start (or during license file activation via DeviceLock Management Console) DeviceLock Enterprise Server checks license status, and if a Database Access license is found, a corresponding record into the Server Log Viewer is added.
In order to retrieve unencrypted information from the DeviceLock database via 3rd party tools, the following SQL query must be executed:
OPEN SYMMETRIC KEY DLKey DECRYPTION BY CERTIFICATE DLCertificate
This query must be executed for each new session. When a valid Database Access license has been installed, the query will return the following string as result:
"Command(s) completed successfully."
This message indicates SQL queries can be performed and unencrypted information will be returned in response.*
Note: If the current user does not have SQL Server Administrator privileges ('sa'), then you need to provide it with the following rights:
GRANT CONTROL ON SYMMETRIC KEY:: DLKey TO < USER >;
GRANT CONTROL ON CERTIFICATE::DLCertificate TO < USER >;
If no valid license is found during DeviceLock Enterprise Server startup, the result of the previous query would be:
"Please create a master key in the database or open the master key in the session before performing this operation."
and all SQL queries will return NULL for encrypted database information.
USING SEVERAL DEVICELOCK ENTERPRISE SERVERS WITH ONE DATABASE
When using several DeviceLock Enterprise Server instances with one database, the special database access license must be applied on each of the servers. This is critical when implementing the Many to Many or Many to One DeviceLock Enterprise Server models as mentioned in the DeviceLock Manual in the Installing DeviceLock Enterprise Server chapter.
During an upgrade of DeviceLock Enterprise Server, the database will automatically be upgraded to the new version. The process may take more time than in previous versions because of the encryption process.
The update process is performed in passive mode. In cases where the update process takes more than 1 minute, the following message will appear in status window:
"Upgrading the database…
Please wait while DeviceLock Enterprise Server is upgrading the "database_name" database.
The database upgrade is performing in the background so you can close this wizard. Do not power off or reboot the DeviceLock or SQL Server during this process."
Installation will be successfuly completed, but attempting to connect to the DeviceLock Enterprise Server during the database upgrade process will be unsuccessful and the following dialog window will appear:
"The DeviceLock Enterprise Server database is upgrading.
Please wait until the database is finished performing upgrade and connect again later."
Unfortunaly, it's not possible to predict when exactly the upgrade process would be completed. Connectivity to DeviceLock Enterprise Server will be restored as soon as the upgrade process completes. DeviceLock will enter a record about the successful database upgrade into the Server Log upon completion.
Note: Due to implementation of DeviceLock database encryption, SQL Server 2000 and MSDE/MSEE are no longer supported. Creation of a new database, or upgrading the existing one running on this version of SQL Server, will fail with the following error message: "This version of MS SQL Server is not supported by DeviceLock Enterprise Server."