Link to home
Start Free TrialLog in
Avatar of barnesco
barnesco

asked on

Can TDE be implemented on disk encryption

Can SQL TDE be implemented on a windows server without any issues? Thanks.
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pavel Celba
Pavel Celba
Flag of Czechia image
The "T" in TDE means "Transparent" which is a synonymum of "invisible"... SQL Server encrypts its data pages before saving them to the disk so anybody who makes a copy of the database cannot attach it to another SQL Server instance... The same is valid for logs and backups.

Once you encrypt the database (which is time consuming) then you may see no differences comparing to the non-encrypted data. Client Applications do not know about the TDE but they may query e.g. sys.dm_database_encryption_keys if they want and if they have permissions to do so.

There is no OS influence to TDE. OS just reads/stores everything what SQL Server asks for.

What I would highly recommend is to keep a copy of the keys on a safe place and test the encrypted database backup restore on a different server This means that in addition to backing up the database, you have to make sure that you maintain backups of the server certificates to prevent data loss. More info is e.g. here.

TDE documentation
This blog post could answer possible additional questions.
SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Pavel Celba
Pavel Celba
Flag of Czechia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan
TDE can work with Disk encryption since the former focus on the app level decryption and the latter focus on system level. The links speak on it too.
On the other hand, if someone gained access to the drive via a network a share or other services that share data from the drive, he could copy data (for example, an SQL Server backup file or a database file) unless it is locked from doing so by the running SQL Server process. The copy of this file on the new drive is then not encrypted anymore.


With TDE alone, the database files themselves are encrypted (as well as backup files of the TDE-encrypted databases). Therefore, if either file is copied or stolen via a network, as in the above example, the attacker cannot read it. But if the attacker gains access to the whole drive, including SQL Server, he can start SQL Server and read the data using SQL, because SQL Server is doing the decryption for him. Now if both BitLocker and TDE are used concurrently, both data theft vectors are mitigated. Both technologies complement each other, and it is recommended that you use BitLocker together with TDE for defense in depth.
Avatar of barnesco
barnesco

ASKER

Thank you! I appreciate all of your responses.
Avatar of barnesco
barnesco

ASKER

Thank you to all who responded. Very helpful.