SQL Server Transparent Data Encryption Setup

By Tom Nonmacher

Transparent Data Encryption (TDE) is a powerful feature that you can utilize to secure your data at rest. It performs real-time I/O encryption and decryption of data and log files, ensuring that your sensitive data is secure from unauthorized access. Let's go through the process of setting up TDE on different databases, including SQL Server 2019, MySQL 8.0, and DB2 11.5.

SQL Server 2019 provides built-in support for TDE. The first step is to create a master key. This key is used to protect the certificate's private keys. Here is the SQL command to create a master key:


-- SQL Server T-SQL code
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'StrongPassword123!';

Next, we create a certificate that will be used for encryption. The certificate is protected by the master key:


-- SQL Server T-SQL code
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My Certificate';

MySQL 8.0, unlike SQL Server, does not have built-in support for TDE. However, it does support encryption at rest using its keyring feature. To enable this, you need to load the keyring plugin and then set the keyring_file_data variable to the path of your keyring file:


-- MySQL code
INSTALL PLUGIN keyring_file SONAME 'keyring_file.so';
SET GLOBAL keyring_file_data = '/var/lib/mysql-keyring/keyring';

DB2 11.5 also supports TDE. To enable it, you need to create a master key, which is stored in a key store. Here is how you can create a master key and a key store:


-- DB2 SQL code
CREATE KEYSTORE '/home/db2inst1/db2inst1/keystore' TYPE 'PKCS12' PASSWORD 'StrongPassword123!';
CREATE MASTER KEY IN KEYSTORE '/home/db2inst1/db2inst1/keystore' PASSWORD 'StrongPassword123!';

Azure SQL and Azure Synapse also support TDE. The setup process is straightforward and can be done through the Azure portal. For Azure SQL, go to your database in the Azure portal, then to the 'Transparent data encryption' section and click on 'ON'. For Azure Synapse, go to your Synapse Studio, then to the 'Security & networking' section and click on 'Manage database firewall' then enable 'Transparent data encryption'.

In conclusion, setting up Transparent Data Encryption (TDE) in your database whether SQL Server 2019, MySQL 8.0, DB2 11.5, Azure SQL, or Azure Synapse enhances the security of your data by encrypting it at rest. However, it's crucial to remember that TDE does not replace other security best practices such as using secure passwords, limiting access permissions, and regularly updating your software.




8BACE4
Please enter the code from the image above in the box below.