An error occurred:

MS SQL Server 2016 Database STIG Version Comparison

MS SQL Server 2016 Database Security Technical Implementation Guide

Comparison

There are 1 differences between versions v2 r7 (Oct. 25, 2023) (the "left" version) and v2 r9 (April 24, 2024) (the "right" version).

Check SQL6-D0-001800 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The Certificate used for encryption must be backed up, up and stored offline and off-site. in a secure location that is not on the SQL Server.

Check Content

If the application owner and Authorizing authorizing Official official have determined that encryption of data at rest is not required, this is not a finding. Review procedures for, for and evidence of backup of the Certificate used for encryption in the System Security Plan. If the procedures or evidence does not exist, this is a finding. If the procedures do not indicate that a backup offline and off-site storage of the Certificate used for encryption, encryption is stored in a secure location that is not on the SQL Server, this is a finding. If procedures do not indicate access restrictions to the Certificate backup, this is a finding.

Discussion

Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.

Fix

Document and implement procedures to safely back up and store the Certificate used for encryption. encryption in a secure location that is not on the SQL Server. Include in the procedures methods to establish evidence of backup and storage, storage and as well as careful, restricted access and restoration of the Certificate. Certificate. BACKUP Also, include provisions to store the backup off-site. BACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' WITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.