A SQL Server encryption feature that encrypts the entire database at the storage layer, protecting data files, transaction log files, and backups from unauthorized access if the physical storage media is compromised.
- Transparent encryption: Transparent Data Encryption (TDE) encrypts data at rest automatically. SQL Server transparently encrypts and decrypts data during read and write operations without requiring any application changes.
-
Encryption hierarchy: TDE uses a layered key hierarchy consisting of the Database Encryption Key (DEK) stored in the database, protected by a certificate in the
masterdatabase, which is secured by the Service Master Key protected by Windows DPAPI or Azure Key Vault. - Backup protection: Enabling TDE automatically encrypts database backups. A TDE-encrypted backup can only be restored if the original encryption certificate is available.
- Security considerations: TDE protects against physical media theft but does not prevent users with valid SQL Server credentials from accessing data. For comprehensive protection, combine TDE with access controls, auditing, and Always Encrypted for in-use data protection.
- Always Encrypted: Unlike TDE, Always Encrypted secures sensitive data at the column level while it is in use, ensuring that even DBAs cannot view plaintext values without access to the client-side encryption keys.
- Compliance: TDE helps organizations meet data-at-rest encryption requirements for regulations and standards such as HIPAA, PCI DSS, SOX, and GDPR.
- Relevant Idera tools: SQL Secure audits TDE configurations across SQL Server environments, identifying databases that are not encrypted and should be protected.
- Related terms: AES Encryption, Always Encrypted, SQL Secure, HIPAA Audit, Compliance.
