Transparent data encryption (often abbreviated to TDE) is a technology employed by

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

IBM International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...

and

Oracle An oracle is a person or thing considered to provide insight, wise counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. If done through occultic means, it is a form of divination. Descript ...

encrypt In cryptography, encryption (more specifically, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plai ...

database In computing, a database is an organized collection of data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, applications, and the database itself to capture and a ...

files. TDE offers encryption at file level. TDE enables the encryption of

data at rest Data at rest in information technology means data that is housed physically on computer data storage in any digital form (e.g. cloud storage, file hosting services, databases, data warehouses, spreadsheets, archives, tapes, off-site or cloud backu ...

, encrypting databases both on the hard drive and consequently on

backup In information technology, a backup, or data backup is a copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss event. The verb form, referring to the process of doing so, is "wikt:back ...

media. It does not protect

data in transit Data in transit, also referred to as data in motion and data in flight, is data en route between source and destination, typically on a computer network. Data in transit can be separated into two categories: information that flows over the publ ...

nor

data in use Data in use is an information technology term referring to active data which is stored in a non-persistent digital state or volatile memory, typically in computer random-access memory (RAM), CPU caches, or CPU registers. Scranton, PA data scie ...

. Enterprises typically employ TDE to solve compliance issues such as

PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use ...

which require the protection of data at rest. Microsoft offers TDE as part of its

Microsoft SQL Server Microsoft SQL Server is a proprietary relational database management system developed by Microsoft using Structured Query Language (SQL, often pronounced "sequel"). As a database server, it is a software product with the primary function of ...

2008, 2008 R2, 2012, 2014, 2016, 2017 and 2019. TDE was only supported on the Evaluation, Developer, Enterprise and Datacenter editions of Microsoft SQL Server, until it was also made available in the Standard edition for 2019. SQL TDE is supported by

hardware security module A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), and performs encryption and decryption functions for digital signatures, strong authentication and other crypt ...

s from Thales e-Security, Townsend Security and SafeNet, Inc. IBM offers TDE as part of Db2 as of version 10.5 fixpack 5. It is also supported in cloud versions of the product by default, Db2 on Cloud and Db2 Warehouse on Cloud. Oracle requires the Oracle Advanced Security option for Oracle 10g and 11g to enable TDE. Oracle TDE addresses encryption requirements associated with public and private privacy and security mandates such as PCI and

California California () is a U.S. state, state in the Western United States that lies on the West Coast of the United States, Pacific Coast. It borders Oregon to the north, Nevada and Arizona to the east, and shares Mexico–United States border, an ...

SB 1386. Oracle Advanced Security TDE column encryption was introduced in Oracle Database 10g Release 2. Oracle Advanced Security TDE tablespace encryption and support for

s (HSMs) were introduced with Oracle Database 11gR1. Keys for TDE can be stored in an HSM to manage keys across servers, protect keys with hardware, and introduce a separation of duties. The same key is used to encrypt columns in a table, regardless of the number of columns to be encrypted. These encryption keys are encrypted using the database server master key and are stored in a dictionary table in the database.

Microsoft SQL Server TDE

SQL Server utilizes an encryption hierarchy that enables databases to be shared within a cluster or migrated to other instances without re-encrypting them. The hierarchy consists of a combination of symmetric and asymmetric ciphers: * Windows Data Protection API (DPAPI) protects a single instance-wide Service Master Key (SMK). * The Service Master Key encrypts the Database Master Key (DMK). * The Database Master Key is used in conjunction with a certificate to encrypt the Database Encryption Key. * The Database Encryption Key is used to encrypt the underlying database files with either the AES or 3DES cipher. * The ''master'' database that contains various system level information, user accounts and management services is not encrypted. During database backups,

compression Compression may refer to: Physical science *Compression (physics), size reduction due to forces *Compression member, a structural element such as a column *Compressibility, susceptibility to compression * Gas compression *Compression ratio, of a ...

occurs after encryption. Due to the fact that strongly encrypted data cannot be significantly compressed, backups of TDE encrypted databases require additional resources. To enable automatic booting, SQL Server stores the lowest level encryption keys in persistent storage (using the DPAPI store). This presents a potential security issue because the stored keys can be directly recovered from a live system or from backups and used to decrypt the databases.Simon McAuliffe
"The Anatomy and (In)Security of Microsoft SQL Server Transparent Data Encryption (TDE)"
19-Mar-2016

References

{{Reflist

External links

Alternative 3rd party solution for all SQL Server Editions

Another alternative 3rd party solution for all SQL Server Editions

Enterprise Security Features Supported by Microsoft SQL Server 2008 R2 Editions

Security Features Supported by Microsoft SQL Server 2012 Editions

Understanding Transparent Data Encryption (TDE) (Microsoft)

Oracle Transparent Data Encryption best practices

* http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asotrans.htm#BABDFHHH
P6R's PKCS#11 Provider and Oracle TDE

Disk encryption

Microsoft SQL Server TDE

See also

References

External links