I know that this is a month old post but. . . I am also going to be enabling TDE on databases and was wonder what best practices people follow?

i.e where/how do you secure you keys and certs.

Also FIPS is turned on the servers so does that limit the encrypiton options to me b/c i don't want to wait an hour to find out that the encryption I chose isn't FIPS compliant.

Thanks!