Transparent Data Encryption (TDE) is a feature in SQL Server that encrypts the entire database (data and log files) at the storage level. TDE protects the database from media theft and ensures that data cannot be read or written to disk in an unencrypted format. TDE uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key to encrypt the database. It also encrypts the database backups, so that they can be safely stored off-site.
With TDE, encryption and decryption of the data occurs at the page level, and it is transparent to the applications and users accessing the data. This means that the SQL Server database engine handles the encryption and decryption process, and the application does not need to make any changes to support TDE.
TDE is available in all DataCenter/ Standard Edition /Enterprise Edition of SQL Server and this feature is available from SQL Server 2008 and later upgrade versions.
To configure database encryption on SQL Server, you can use the built-in encryption feature called Transparent Data Encryption (TDE). Here are the general steps to enable TDE on a database:
- Create a master key: This key is used to encrypt the private key of the database encryption key. You can use the following command to create a master key:
USE MASTER GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'your_password' GO
For Example:
USE MASTER GO CREATE MASTER KEY ENCRYPTION BY PASSWORD='&Daily@Learn$QL#' GO
2. Create or obtain a certificate: This certificate is used to protect the private key of the database encryption key. You can use the following command to create a certificate:
USE MASTER GO CREATE CERTIFICATE my_certificate WITH SUBJECT = 'TDE CertificateName'; GO
For Example:
USE MASTER GO CREATE CERTIFICATE Encrypted_Cert WITH SUBJECT = 'Database_Encryption'; GO
3. Create a database encryption key: This key is used to encrypt the data in the database. You can use the following command to create a database encryption key:
USE DATABASENAME GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE my_certificate; GO
For Example:
USE CustomerDB GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE EncryptionTDE_Cert; GO
4. Enable TDE on the database: This will encrypt the data in the database. You can use the following command to enable TDE on a database:
USE DATABASENAME GO ALTER DATABASE your_dbName SET ENCRYPTION ON; GO
Example:
USE CustomerDB GO ALTER DATABASE CustomerDB SET ENCRYPTION ON; GO
5. Now you can see on database Encryption status using a SELECT statement
--Find TDE(Transparent Data Encryption) Certificate on SQL Server SELECT C.NAME FROM MASTER SYS.CERTIFICATES WHERE C.NAME='EncryptionTDE_Cert'
6. Backup the certificate and private key: To protect the encryption key and certificate, you should back up the certificate and private key to a secure location.
BACKUP CERTIFICATE my_certificate TO FILE = 'path_to_backup_file' WITH PRIVATE KEY (FILE = 'path_to_private_key_file', ENCRYPTION BY PASSWORD = 'your_password');
Example:
BACKUP CERTIFICATE EncryptTDE_Cert TO FILE = 'D:\CustomerDB\EncryptTDE_Cert' WITH PRIVATE KEY (FILE = 'D:\CustomerDB\EncryptTDE_Cert\EncryptTDE.pvk', ENCRYPTION BY PASSWORD = '&Daily@Learn$QL#');
Related Topic: