Yep. I have the ssl working on server and client. I can see the tls connection and handshakes and many encrypted packets which is suspect is the dts and dml itself. Then when the data stream gets sent it is encapsulated tds packets inside tcp. When I inspect these packets I can read the table data. So this tells me that the table data stream is excluded from the encryption.

This is either because I am doing something wrong or this is expected behavior. If it is expected I bet many people would be upset as from all articles and books online there is no indication your data isn't being protected.

Can anyone confirm this and if your data is being encrypted what did you do differently?