fbpx

Knowledge Base

Search Knowledge Base

KB #240124: Using Encryptionizer for SQL on a Cluster

Type:

Information

Summary:

Encryptionizer for SQL is cluster safe, but the installation and configuration are not cluster-aware. With a few steps, you can install and configure Encryptionizer while minimizing down-time.

Additional Information:

  1. Reference Nodes as follows:
    • Node 1: Initially Active Node
    • Node 2: Initially Passive Node
  2. Login to Node 2 (passive node). We recommend you examine the application log and take care of any errors before proceeding.
  3. Confirm that Node 2 is indeed not active and does not control cluster resources.
  4. Install Encryptionizer for SQL Server following prompts in setup program. Activate the software using the activation information provided.
  5. Skip the option to Install Encryptionizer SQL API’s at this point (you will do this later).
  6. Reboot Node 2.
  7. Run the Encryptionizer Administration Wizard to enable Encryptionizer on Node 2 (still passive) to set the encryption key that will be delivered to SQL when this instance is active. You will choose the local instance that is part of the cluster instance.
  8. When you select Finish, you may be presented with the following: “Warning: The Encryptionizer Admin Wizard detected the selected MSSQL Server instance may not be completely stopped. The Wizard will complete but Encryptionizer will not take effect until the MSSQl Server instance has been restarted (Status Code = 4)”. Select OK at this point to proceed.
  9. (Optional) Reboot Node 2 to clear any memory halts. If you reboot, wait for the node to completely come back online.
  10. Failover from Node 1 to Node 2, so Node 2 is now active and Node 1 is now passive.
  11. Log in to Node 1 (now passive).
  12. Install Encryptionizer for SQL Server on Node 1. Again, skip Installing API’s during the installation.
  13. Reboot Node 1.
  14. Enable Encryptionizer on this node, as performed above on Node 2, using the same key profile information as before.
  15. Failover from Node 2 back to Node 1 so Node 1 is active and Node 2 is passive.
  16. On the Active node, run the “Install NetLib APIs” from the NetLib Encryptionizer Main Menu. At the bottom of the screen listing SQL instances, check “Include Network/Clustered instances” and click the Refresh button.  If your networked or clustered instance is not listed, but you know it is there, you can enter the instance name in the field at the bottom of the screen. Make sure you are connecting to the Cluster node at this point and not the local instance. The SQL Cluster must be running and accessible from the Active Node. If only using Whole Database Encryption, add the API’s to the Master database only.  If using Column Encryption, the API’s should also be added to the databases whose columns are to be encrypted.
  17. To see that keys are delivered to the running SQL cluster, and also check that API’s were added properly, run following command in a SQL Server Management Studio query window:select master.dbo.fn_n_keycount()A value > 0 indicates Encryptionizer is successfully configured, and at least 1 key is being delivered to the SQL Cluster.
  18. For Whole Database Encryption, continue with the next step. For Column Encryption, continue below.
  19. For whole database encryption only, for any database to be encrypted, take it offline to encrypt using the Encrypt/Decrypt Wizard. See the Whole Database Administration Guide for more information.
  20. For Column Encryption (if licensed), you may now use the Encryptionizer Col-E Manager to encrypt columns.
  21. After all updates are made, perform new backups of databases including master.

Last modified: 1/24/2024

Top