Transparent data encryption: Difference between revisions

{{nomore footnotes|date=March 2015}}

'''Transparent Data Encryption''' (often abbreviated to '''TDE''') is a technology employed by both [[Microsoft]] and [[Oracle Corporation|Oracle]] to [[encryption|encrypt]] [[database]] files. TDE offers encryption at file level. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on [[backup]] media. Enterprises typically employ TDE to solve compliance issues such as [[PCI DSS]].

SQL Server utilizes an encryption hierarchy that enables databases to be shared within a cluster or migrated to other instances without re-encrypting them. The hierarchy consists of a combination of symmetric and asymmetric ciphers:<ref>[https://technet.microsoft.com/en-us/library/bb934049(v=sql.110).aspx "Transparent Data Encryption (TDE)"] ''Microsoft TechNet''</ref>:

* Windows [[Data_Protection_APIData Protection API|Data Protection API (DPAPI)]] protects a single instance-wide Service Master Key (SMK).

* The Database Encryption Key is used to encrypt the underlying database files with either the [[Advanced_Encryption_StandardAdvanced Encryption Standard|AES]] or [[Triple_DESTriple DES|3DES]] cipher.

During database backups, [[Data_compressionData compression|compression]] occurs after encryption. Due to the fact that strongly encrypted data cannot be significantly compressed, backups of TDE encrypted databases require additional resources.

To enable automatic booting, SQL Server stores the lowest level encryption keys in persistent storage (using the [[Data_Protection_APIData Protection API|DPAPI]] store). This presents a potential security issue because the stored keys can be directly recovered from a live system or from backups and used to decrypt the databases .<ref>Simon McAuliffe, [http://simonmcauliffe.com/technology/tde/ "The Anatomy and (In)Security of Microsoft SQL Server Transparent Data Encryption (TDE)"], 19-Mar-2016</ref>.