Transparent Data Encryption (often abbreviated to TDE) is a technology employed by
Microsoft
Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...
,
IBM and
Oracle
An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination.
Description
The wor ...
to
encrypt
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
database
In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases spa ...
files. TDE offers encryption at file level. TDE solves the problem of protecting
data at rest, encrypting databases both on the hard drive and consequently on
backup media. It does not protect
data in transit
Data in transit, also referred to as data in motion and data in flight, is data en route between source and destination, typically on a computer network.
Data in transit can be separated into two categories: information that flows over the publi ...
nor
data in use
Data in use is an information technology term referring to active data which is stored in a non-persistent digital state typically in computer random-access memory (RAM), CPU caches, or CPU registers.
Scranton, PA data scientist Daniel Allen in 1 ...
. Enterprises typically employ TDE to solve compliance issues such as
PCI DSS which require the protection of data at rest.
Microsoft offers TDE as part of its
Microsoft SQL Server
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which ...
2008, 2008 R2, 2012, 2014, 2016, 2017 and 2019. TDE was only supported on the Evaluation, Developer, Enterprise and Datacenter editions of Microsoft SQL Server, until it was also made available in the Standard edition for 2019. SQL TDE is supported by
hardware security module
A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptogra ...
s from Thales e-Security, Townsend Security and SafeNet, Inc.
IBM offers TDE as part of
Db2
Db2 is a family of data management products, including database servers, developed by IBM. It initially supported the relational model, but was extended to support object–relational features and non-relational structures like JSON and ...
as of version 10.5 fixpack 5. It is also supported in cloud versions of the product by default, Db2 on Cloud and Db2 Warehouse on Cloud.
Oracle requires the
Oracle Advanced Security option for Oracle 10g and 11g to enable TDE. Oracle TDE addresses encryption requirements associated with public and private privacy and security mandates such as PCI and
California
California is a state in the Western United States, located along the Pacific Coast. With nearly 39.2million residents across a total area of approximately , it is the most populous U.S. state and the 3rd largest by area. It is also the ...
SB 1386. Oracle Advanced Security TDE column encryption was introduced in Oracle Database 10g Release 2. Oracle Advanced Security TDE tablespace encryption and support for
hardware security module
A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptogra ...
s (HSMs) were introduced with Oracle Database 11gR1. Keys for TDE can be stored in an HSM to manage keys across servers, protect keys with hardware, and introduce a separation of duties.
The same key is used to encrypt columns in a table, regardless of the number of columns to be encrypted. These encryption keys are encrypted using the database server master key and are stored in a dictionary table in the database.
Microsoft SQL Server TDE
SQL Server utilizes an encryption hierarchy that enables databases to be shared within a cluster or migrated to other instances without re-encrypting them. The hierarchy consists of a combination of symmetric and asymmetric ciphers:
* Windows
Data Protection API (DPAPI) protects a single instance-wide Service Master Key (SMK).
* The Service Master Key encrypts the Database Master Key (DMK).
* The Database Master Key is used in conjunction with a certificate to encrypt the Database Encryption Key.
* The Database Encryption Key is used to encrypt the underlying database files with either the
AES
AES may refer to:
Businesses and organizations Companies
* AES Corporation, an American electricity company
* AES Data, former owner of Daisy Systems Holland
* AES Eletropaulo, a former Brazilian electricity company
* AES Andes, formerly AES Gener ...
or
3DES cipher.
* The ''master'' database that contains various system level information, user accounts and management services is not encrypted.
During database backups,
compression occurs after encryption. Due to the fact that strongly encrypted data cannot be significantly compressed, backups of TDE encrypted databases require additional resources.
To enable automatic booting, SQL Server stores the lowest level encryption keys in persistent storage (using the
DPAPI store). This presents a potential security issue because the stored keys can be directly recovered from a live system or from backups and used to decrypt the databases.
[Simon McAuliffe]
"The Anatomy and (In)Security of Microsoft SQL Server Transparent Data Encryption (TDE)"
19-Mar-2016
See also
*
Disk encryption
Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that ...
*
Encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can dec ...
*
Hardware security module
A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptogra ...
References
{{Reflist
External links
Alternative 3rd party solution for all SQL Server EditionsAnother alternative 3rd party solution for all SQL Server EditionsEnterprise Security Features Supported by Microsoft SQL Server 2008 R2 EditionsSecurity Features Supported by Microsoft SQL Server 2012 EditionsUnderstanding Transparent Data Encryption (TDE) (Microsoft)Oracle Transparent Data Encryption best practices* http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asotrans.htm#BABDFHHH
P6R's PKCS#11 Provider and Oracle TDE
Disk encryption