SQL Server Transparent Database Encryption (TDE) | v7+
The Certero Databases can be encrypted using SQL Server Transparent Data Encryption (TDE). This article provides information about TDE and how this can be enabled from version 7 of Certero Provisioning.
This article only applies to on-premises customers. For SaaS-hosted customers, these settings are managed by Certero.
About Transparent Database Encryption
Transparent Data Encryption (TDE) encrypts SQL Server data files. This encryption is known as encrypting data at rest.
To help secure a database, you can take precautions like:
Designing a secure system
Encrypting confidential assets
Building a firewall around the database servers
But a malicious party who steals physical media like drives or backup tapes can restore or attach the database and browse its data.
One solution is to encrypt sensitive data in a database and use a certificate to protect the keys that encrypt the data. This solution prevents anyone without the keys from using the data. But you must plan this kind of protection in advance.
TDE does real-time I/O encryption and decryption of data and log files. The encryption uses a database encryption key (DEK). The database boot record stores the key for availability during recovery. The DEK is a symmetric key. It's secured by a certificate that the server's master database stores or by an asymmetric key that an EKM module protects.
TDE protects data at rest, which is the data and log files. It lets you follow many laws, regulations, and guidelines established in various industries. This ability lets software developers encrypt data by using AES and 3DES encryption algorithms without changing existing applications.
Supported Versions of SQL Server
In order to enable TDE customers must be using a supported version of SQL Server. The following versions and editions of Microsoft SQL Server support TDE:
SQL Server Enterprise 2008 R2 or above
SQL Server Standard 2019 or above
The option to encrypt the Certero databases using TDE, in Certero Provisioning, will only be available if a supported version is being used.
Enabling TDE within Microsoft SQL Server
To use TDE first you must enable this within Microsoft SQL Server. There is an article on how to do this here: Enabling Transparent Data Encryption (TDE)
Encrypting Databases in Certero Provisioning
To enable TDE on the Certero databases:
Login to Certero Provisioning
Click on Tenants
Click on the drop down arrow next to the Tenant name
Please select a certificate from the list below. SQL transparent data encryption (TDE) will be enabled for the instance by encrypting the physical database files, i.e. encryption at rest.
Select the Certificate you want to use for encryption and click 'OK'
Enabling TDE will stop and start the Certero tenant site and it will be unavailable for 1-2 minutes while the database is encrypted
A padlock icon will be displayed against the Tenant name to show it is encrypted
TDE can be disabled by selecting Disable TDE on the drop down arrow next to the Tenant name
Backup database files that have TDE enabled are also encrypted with the database encryption key. As a result, when you restore these backups, the certificate that protects the database encryption key must be available. Therefore, in addition to backing up the database, Customers must make sure to maintain backups of the server certificates. This will result in Data loss if the certificates are no longer available.
For more information on SQL Server Certificates and Asymmetric Keys click here: SQL Server Certificates and Asymmetric Keys