Where I work, we've started implementing SQL Server TDE, which I believe has many advantages over FDE (Full Disk Encryption) solutions.
- Is free with the SQL Server license. Starting with 2016 SP1, TDE is now available on Standard and Express editions.
- Encrypts only the databases that need encryption.
- Typically, the performance impact is not significant or even noticeable, at least not from my experience across a wide variety of large databases.
- The encryption and re-encryption process is asynchronous, so initial implementation and key rotation requires no downtime.
- The files can be archived or moved across environments without in it's original encrypted form (assuming your migrate the certificate as well).
However, if I ever had a need to encrypt the entire server file system, perhaps to protect things like connection strings, logs, and application code, then I might consider Window's native BitLocker for full disk encryption. Has anyone here had experience with running SQL Server under BitLocker? If so, then what is the performance impact for this specific implementation?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho