Skip to content

Add check for TDE Key Algorithm and Key Length #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bwiggin10 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add check for TDE Key Algorithm and Key Length #7

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion sp_CheckSecurity.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -674,6 +674,21 @@ INNER JOIN sys.dm_database_encryption_keys d
ON c.thumbprint = d.encryptor_thumbprint;


/* check TDE key algorithm and key length */
INSERT #Results
SELECT
3
, 'Potential - review recommended'
, 'TDE uses legacy encryption algorithm'
, d.name
, 'The TDE encryption for database ' + d.name + ' uses the encryption algorithm ' + dek.key_algorithm + ' with a key length of ' + CAST(dek.key_length AS CHAR(4))
, 'The database encryption key should be regenerated to use the more secure AES_256 algorithm.'
, 'https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/choose-an-encryption-algorithm?view=sql-server-ver16'
FROM sys.dm_database_encryption_keys dek
RIGHT JOIN master.sys.databases d ON d.database_id = dek.database_id
WHERE dek.key_algorithm <> 'AES' or dek.key_length <> '256'


/* check for database backup certificate backup */
IF @SQLVersionMajor >= 12 BEGIN
SET @SQL = '
Expand Down Expand Up @@ -1162,4 +1177,4 @@ IF @ShowHighOnly = 0
, ReadMoreURL
FROM #Results
ORDER BY 1, 2, 3, 4, 5