sqld-_-ba (10/12/2015)
TDE protects data at 'rest', meaning if someone got a hold of our physical .mdf/.ldf files, or our .bak's, or tapes, they could recover the data.
TDE protects data at rest meaning they cannot just pick up the mdf\ldf files or the backup file, these are useless without the certificate that encrypts the database.
sqld-_-ba (10/12/2015)
If someone is able to gain physical access to these files, isn't there a bigger problem at hand ?
Yes, you should also be securing your servers NTFS filesystem to prevent users picking these files up, but as i said if you have implemented TDE the files alone are useless, they must have the certificate that encrypts the database.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉