Ben Miller deserves credit for this post. I have picked up a little bit of information about TDE here and there but he pulled it all together for me. I presented this at work to give a broad overview of what it is and why we would use it. I will be creating a more in depth post later.
What is it?
- Encrypted Data at rest.
- AES (128,192,256) or 3DES
- Encryption is performed at the page level.
- Datafile, Logfile and Tempdb are encrypted.
- Tempdb is encrypted at AES 256 and you can’t change that.
- FileStream data is not encrypted when TDE is enabled.
- Protects against people stealing your files.
- SELECT statement results are not encrypted so it is Transparent to the user.
- No Schema changes like cell level encryption.
- Page level encryption
- MSFT estimates degradation at 3 to 5% instead of 20 – 28% that occurs with cell level.
- Secure backups by default.
- Invisible to user
- Backup compression is not useful when TDE is enabled.
- Enterprise Edition Only
- With Cell level encryption, you have finer control over encrypted elements
- Tempdb is encrypted even if only one database is encrypted.
- Instant File initialization is not available when TDE is enabled.
- If you lose your Certificate, your data is gone.