August 12, 2010 at 9:20 am
We are planning to enable TDE on some of our databases. And, I need to make all the loopholes have been covered before this major step.
I am aware of some of the known issues (limitations) of TDE. (CPU intensive, encrypted tempdb causing performance hit for non-TDE dbs etc.)
There are also some issues with restoring a db which had TDE enabled in the past.
All these probably can be handled with some planning. However, does anyone know any critical things that need to be taken care of? Or did anyone face major issues because of enabling this feature?
Are there any problems with DB maintenance when TDE is enabled? I found the following information on a MS site.
(http://msdn.microsoft.com/en-us/library/bb934049.aspx)
While a re-encryption scan for a database encryption operation is in progress, maintenance operations to the database are disabled. You can use the single user mode setting for the database to perform the maintenance operation.
What is re-encryption scan?
What maintenance operations will be disabled?
August 23, 2010 at 2:51 am
Ravi
We have enabled TDE in our environment and it's not impacting much performance since the db is medium used OLTP application. We have taken the backup of certificates used and stored in safe location, when we need to restore the db in dev environment we will make sure that the certificate exists there, else it will restored from the backup then we will restore the db.
Regarding your question, I have taken the below from TDE white paper. Probably re-scan means that
The server starts a background thread (called the encryption scan or scan) that scans all database files and encrypts them (or decrypts them if you are disabling TDE). While the DDL executes, an update lock is taken on the database. The encryption scan, which runs asynchronously to the DDL, takes a shared lock. All normal operations that do not conflict with these locks can proceed. Excluded operations include modifying the file structure and detaching the database. While normal database writes to disk from the buffer pool are encrypted, log file writes may not be. The scan also forces a rollover for the virtual log file (VLF) to ensure that future writes to the log are encrypted. This is discussed in more detail later in this white paper.
Regards..Vidhya Sagar
SQL-Articles
August 23, 2010 at 11:29 am
Thank you, Vidhya Sagar.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply