Introduction to Transparent Data Encryption (TDE)

1. Introduced in SQL Server 2008 version.

2. It performs real-time I/O encryption and decryption of a SQL Server database's data and log files.

3. Use AES, 3DES encryption algorithm.

4. No application changes are required to take advantage of TDE.

5. Backup of database protected by TDE are also protected.

6. Encrypted data compresses significantly less than equivalent unencrypted data. Therefore, using TDE and backup compression together is not recommended.

7. TDE is available in SQL Server 2012 Enterprise edition not available in Standard and Business Intelligence edition. TDE available in SQL Server 2008 and SQL 2008 R2 Data Center and Enterprise editions.

8. TDE protect data "at rest" meaning the data and log files, but authorized user such as security administrator can access the data in a TDE-encrytped database. To prevent an SA or DBA from accessing selected parts of the data you need to use application level encryption.

9. Some performance overhead is involved in using TDE.

10. TDE encrypts data stored on disk at the page and log level. The data that sent across the wire to the client connection isn't encrypted.

11. If you want to encrypt the link between SQL Server and client system, then need to use SSL (Secure Sockets Layer).

12. TDE does not increase the size of the encrypted database.

13. To use TDE, follow these steps.

a. Create a master key
b. Create or obtain a certificate protected by the master key
c. Create a database encryption key and protect it by the certificate
d. Set the database to use encryption

14. TDE encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module.

15. The tempdb system database will be encrypted if any other database on the instance of SQL Server is encrypted by using TDE.

16. Replication does not automatically replicate data from a TDE-enabled database in an encrypted form. You must separately enable TDE if you want to protect the distribution and subscriber databases. Snapshot replication, as well as the initial distribution of data for transactional and merge replication, can store data in unencrypted intermediate files; for example, the bcp files.  During transactional or merge replication, encryption can be enabled to protect the communication channel.

17. FILESTREAM data is not encrypted even when TDE is enabled.

No comments:

Post a Comment