Key Rotation in TDE

Transparent Data Encryption (TDE) has been around for a long time. It first appeared in SQL Server 2008, and after a rocky start with some bugs, it has become a regularly used feature for many organizations. While not perfect, it does provide some protection and auditors like to see physical protection features being used. It's […]

How to Send a TDE Encrypted Backup to Someone Outside Your Organization

Once you enable your database to be encrypted with Transparent Data Encryption (TDE), the physical database files, and the database backups are encrypted. If your database and database backup are encrypted, then how can you send the encrypted backup to a person outside your organization?

What is the State of My Transparent Data Encrypted Database?

When using Transparent Data Encryption, you might wonder “What is the state of my transparent data encrypted database?” Read on to learn the many different states that a transparent data encrypted database might go through.

Rotating Certificates

How to Enable Transparent Data Encryption

By default, SQL Server does not encrypt data in a SQL Server database in an encrypted format. When SQL Server 2008 was introduced, Microsoft implemented Transparent Data Encryption (TDE). When TDE is enabled on a database SQL Server will encrypt the database as data is written to the disk.

How to Move a TDE Encryption Key to Another SQL Server Instance

If you have a database backup of a Transparent Data Encryption (TDE) enabled database, the database backup will contain encrypted data. Because the database backup contains encrypted data you can’t just restore it to any instance. You can only restore the database backup to an instance that contains the same certificate used to originally encrypt the database.

Updating an expired SQL Server TDE certificate

Simon Liew explains how to generate a new TDE certificate to replace the previous, and also looks at the steps needed if the database is in an Availability Group.

Encrypting the data

Encrypting SQL Server: Transparent Data Encryption (TDE)

Transparent Data Encryption (TDE) encrypts the data within the physical files of the database, the 'data at rest'. Without the original encryption certificate and master key, the data cannot be read when the drive is accessed or the physical media is stolen. The data in unencrypted data files can be read by restoring the files to another server. TDE requires planning but can be implemented without changing the database. Robert Sheldon explains how to implement TDE.

Database TDE