TDE - Transparent Data Encryption

Transparent Data Encryption (TDE) is a method of encrypting the database, data files and log files on the physical disk.  TDE is also known as encrypting data at rest.  TDE does real time encryption and decryption between the disk and memory.  We will be using the same Key Hierarchy and process as discussed in SQL SERVER Column Encryption.  We have one additional step, the encryption of the database itself, shown below.

ALTER DATABASE POC_ENCRYPTION

SET ENCRYPTION ON;

A few items we will need to remeber when implementing TDE.

1. We should create a backup of the database just prior to implementing TDE for rollback.


2. All Keys, Certificates, and passwords should be backed up and kept in a safe location.


3. We will need the password to the database master key to restore backups to a different server since we will be breaking the hierarchy.


4. Performance of ALL databases on an instance will have performance losses of about 5%.  This is caused by Tempdb also being encrypted during this process.


5. Any FileStream data will NOT be encrypted.


6. Replicated data will not be encrypted during transit, but TDE will need to be implemented at the subscriber.