Encrypting SQL 2012

Question

Encrypting SQL 2012

Brandie Tarvin

SSC Guru

Points: 173068
More actions
October 22, 2021 at 8:37 am

#3943159

I need some assistance, please.
Now that TDE has blown up in our faces with SQL 2012, we are being pushed to use "native SQL encryption" on our databases to ensure the data at rest is encrypted. This while we're in the middle of a migration to new servers.
Does anyone know what "native SQL encryption" means that makes it different from TDE? I can't seem to find it on Google.
Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply

frederico_fonseca SSCoach Points: 16157 More actions · Answer 1

for me it would mean using TDE as this is encryption at rest for all I know - I would ask whoever requested it to ensure that is what they meant - and if not to explain what they meant by it

hope they not talking about always encrypted - https://info.townsendsecurity.com/sql-server-always-encrypted-vs-transparent-data-encryption-tde and https://sqltutorialtips.blogspot.com/2017/11/always-encrypted-vs-transparent-data.html

This reply was modified 3 years, 1 month ago by frederico_fonseca.
This reply was modified 3 years, 1 month ago by frederico_fonseca.

Jo Pattyn SSC-Dedicated Points: 32348 More actions · Answer 2

I agree. TDE = encryption at rest. If SQL Server is not running, you can't make sense of the data looking at the file

Always encrypted: encryption is specific to the application

Phil Parkin SSC Guru Points: 246965 More actions · Answer 3

They meant column-level encryption, perhaps? My head would explode if I had to do that on an entire database though.

The absence of evidence is not evidence of absence
- Martin Rees
The absence of consumable DDL, sample data and desired results is, however, evidence of the absence of my response
- Phil Parkin

Michael L John One Orange Chip Points: 27056 More actions · Answer 4

I'm curious about what blew up with TDE?

Michael L John
If you assassinate a DBA, would you pull a trigger?
To properly post on a forum:
http://www.sqlservercentral.com/articles/61537/

Steve Jones - SSC Editor SSC Guru Points: 736270 More actions · Answer 5

I would assume this is TDE. That's the native encryption.

If this is a response to regulation (PCI, SOX, etc.) , this really is what your auditor thinks. I would request a meeting with whatever group audits you and ask them

Brandie Tarvin SSC Guru Points: 173068 More actions · Answer 6

It took me a while to realize the person in question was conflating KMS with TDE. Because I pushed back on using TDE on our specific SQL 2012 environment, they returned with "well use native SQL encryption and maintain your own passwords."

Thank you all for verifying the TDE thing. I appreciate the input.

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

ZZartin SSC-Dedicated Points: 30920 More actions · Answer 7

Steve Jones - SSC Editor wrote:

I would assume this is TDE. That's the native encryption.
If this is a response to regulation (PCI, SOX, etc.) , this really is what your auditor thinks. I would request a meeting with whatever group audits you and ask them

Just TDE would not be enough to meet requirements for PCI or other regulations so definitely get more clarification if that's the case.