Transparent Data Encryption (TDE) encrypts all the data that’s stored within the database’s physical files and also any
backup files created from the database. With data security becoming more and more important there’s no doubt that encryption
of data using technologies such as TDE will become increasingly relevant.
In previous articles I discussed some of the advantages and disadvantages of using Transparent Data Encryption as part of a security solution as well as specific details of how
to encrypt a database with TDE.
To finish the series this article discusses some best practices and recommendations for implementing TDE.
Recommendations and Best Practice
- If your database doesn’t need encryption then don’t implement TDE on it – as there is a small performance impact
when querying an encrypted database don’t encrypt needlessly.
- Backups – always backup your databases before encrypting them, just in case.
- Storage of encryption keys – make sure these are stored safely, as these will be needed to remove encryption. If disaster
occurs and you need to restore the database to another server from a backup file then the backup will be useless without
the certificate and private key.
- Extended backup duration – encrypted backups don’t compress well, so
expect backups to be larger, and take longer to run.
- TDE isn’t an end to end encryption solution - don’t expect data to be encrypted in transit, or within the application
even if you have TDE enabled. TDE encrypts the data (e.g. .mdf and .ldf files) and backup files (e.g. .bak), nothing more.
- Implement other data access controls - TDE complements, but does not replace, other methods of securing data, so access
control (via permissions), password encryption and securing network traffic are still important.