Blog Post

SQL Server TDE – Is TempDB Encrypted?

,

A really quick one today, something that made me think for a minute and I thought it might make others think too. So you have enabled TDE  – Transparent Data Encryption (you can see these previous posts here: https://blobeater.blog/?s=tde&submit=Search) on your SQL Server database and in the back of your mind you know TempDB gets encrypted too.

If you query sys.databases, such as:

SELECT is_encrypted,name,user_access_desc FROM sys.databases
WHERE database_id = 2 OR database_id = 7

tempdnencrypt

It “might” throw you off. Would you not expect to see is_encrypted set to 1 for TempDB?

huh

Official documentation states the following for this field:

Indicates whether the database is encrypted (reflects the state last set by using the ALTER DATABASE SET ENCRYPTION clause). Can be one of the following values:

1 = Encrypted

0 = Not Encrypted

For more information about database encryption, see Transparent Data Encryption (TDE).

If the database is in the process of being decrypted, is_encrypted shows a value of 0

Some may interpret  the “reflects the state last set by using the ALTER DATABASE SET ENCRYPTION clause” sentence incorrectly. Either way the true confirmation is via this query:

 SELECT
    d.name,
    d.is_encrypted,
    dmk.encryption_state,
    dmk.percent_complete,
    dmk.key_algorithm,
    dmk.key_length
FROM
    sys.databases d
    LEFT OUTER JOIN sys.dm_database_encryption_keys dmk
    ON d.database_id = dmk.database_id;

yesitis

I actually never specifically stated to enable encryption ON for TempDB, it is not part of my actual code. So even though is_encrypted = 0, the encryption state = 3 which definitely means that TempDB is fully encrypted (notice the key_algorithm and length too).

So if you think you have missed something, don’t worry you haven’t.

Did Microsoft Change Something?

I ran all the above tests on SQL Server 2014, HOWEVER I enabled TDE on a database (called BBQ because it is 27 degrees Celsius and I should be outside) that is on Microsoft SQL Server vNext (CTP2.0) and I ran the above queries and guess what?

TempDB will show as is_encrypted = 1

vnextTDE

vnext

I much prefer that!

 

 

Filed under: SQL SERVER, TDE Tagged: Encryption, SQL server, SQL Server 2014, SQL Server vNext, TDE, TSQL

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

You rated this post out of 5. Change rating

2009-02-23

1,567 reads

Technical Article

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

You rated this post out of 5. Change rating

2009-02-17

1,530 reads

Technical Article

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

You rated this post out of 5. Change rating

2009-02-13

360 reads