Securing Databases with Intel® Advanced Encryption Standard New Instructions (AES-NI)


Database access via the web is becoming commonplace. Databases are cardinal components of any web based application by enabling websites to provide varying dynamic content. Protecting databases is critical since they often stores sensitive information. Traditionally databases were secured against hackers through network security, like firewalls and network-based intrusion detection systems. While network security controls remain valuable, securing the database systems, the programs/functions, and data has become more critical as networks are increasingly opened to wider access. This blog will talk about transparent data encryption as a way to secure the database by encrypting the data.


Acronyms and Important Concepts

·       DEK: Database Encryption Key is the key that is used to encrypt/decrypt the Microsoft* SQL Server database.


·       HSM: Hardware Security Modules [1] used to store encryption keys.


·       MEK: Master Encryption Key used to encrypt Oracle* column and tablespace encryption keys.


·       Asymmetric Key: One of a pair of keys used with an asymmetric cryptographic algorithm.  This algorithm uses two cryptographic keys: a "public key" for encryption and a "private key" for decryption. In signature and verification, the roles are reversed: the public key is used for verification, and the private key is used for signature generation.


·       Tablespace:This is a logical storage unit within an Oracle database. It is logical because a tablespace is not visible in the file system of the machine on which the database resides.


Transparent Data Encryption

Transparent Data Encryption (TDE) is a technology that encrypts the database, employed by both Microsoft* and Oracle*.  It is designed to protect data by encrypting the physical files of the database, rather than the data itself. It prevents unauthorized access to the data by restoring the files to another server. With TDE in place, the original encryption certificate and master key is required.  This way if an encrypted database is stolen, it cannot be viewed without having keys used to encrypt that database. TDE protects data “at rest”, meaning the data and log files.

How Microsoft SQL* Server Transparent Data Encryption Works

When Microsoft-TDE [2] is enabled a Database Encryption Key (DEK) is created.  The DEK is stored in the SQL database is managed by SQL Server and is protected by a password, a certificate or an asymmetric key.  The asymmetric key is stored in HSM. Microsoft* introduced TDE in the Enterprise edition of Microsoft SQL Server* 2008 and 2012.


How Oracle* Transparent Data Encryption Works

Oracle-TDE [3] encryption keys are created and managed by Oracle*.  For Oracle*, TDE creates two encryption keys, the column and the tablespace keys.  The column key is stored in the Oracle* data dictionary and the tablespace key is stored in the tablespace header.  MEK then encrypts those two keys.  MEK is stored in HSM.


Oracle* Database 10g Release 2 provides column encryption and 11g Release 2 also include encryption for  tablespace as well as supporting HSM.



Advanced Encryption Standard (AES) [4] can also be used to encrypt the data.  AES is an encryption standard adopted by the U.S. government in 2001.  AES is a symmetric block cipher that encrypts and decrypts data through several rounds.   AES is used one of the encryption algorithm that is used in TDE.


Intel AES New Instructions (AES-NI) [5] are a new set of instructions. They became available with the 2010 Intel Core processor family based on the 32nm Intel microarchitecture, codenamed Westmere. These instructions enable fast and secure data encryption and decryption and were designed to implement some of the complex and performance-intensive steps of the AES algorithm by the using hardware, thus accelerating the execution of the AES algorithms.


Oracle* TDE version 11g release 2 uses Intel AES-NI to do the encryption of the database.

Vormetric* Encryption software supports Intel AES-NI for databases like IBM* DB2, Microsoft* SQL Server, Oracle*, Informix*, MySQL and other databases running on Linux* and Microsoft* Windows.  More information about Vormetric* products can be found in their company website [6].



Oracle* TDE version 11g release 2 makes use of Intel AES-NI to speed up the encryption/decryption process comparing to that of AES.  Note that column wise encryption with Intel AES-NI is currently not supported in Oracle* version 11g release 2.  The following images illustrate the performance improvement obtained when optimizing the encryption/decryption processes using the Intel® Integrated Performance Primitives crypto library (Intel® IPP).  Intel IPP crypto library is optimized using Intel AES-NI.  More information about this test can be found here.  Note the performance can vary depending on systems and their configurations.



 The images show the encryption/decryption performance with Oracle* enterprise edition TDE 256 bit with and without Intel Integerated Performance Primitives (IPP).




 The images show the encryption/decryption performance with Oracle* enterprise edition TDE 128 bit with and without Intel Integrated Performance Primitives (IPP).




TDE is used to encrypt the database to secure the data.   Intel AES-NI helps speed up the encryption/decryption process of the data.