We are self hosting sql servers, we are not using Azure for sql servers. and we would like to do encryption on data that is at rest for multiple sql servers that has multiple databases. I understand using TDE includes Encryption for data files and backup files. My question is since we have multiple servers with multiple databases, and we also have dev, test, prod... servers, we have to do this for each of the database and backup file. Is there a way to do the TDE encryption at instance level, that will encrypted all the databases on the server? or we have to manually to create master key, certificate and Database key for each database? That sounds a maintenance complexity for day to day use of those databases.
Hi
just take a look at this stairway:
https://www.sqlservercentral.com/stairways/stairway-to-transparent-data-encryption-tde
Good luck,
Andreas
January 16, 2025 at 8:12 pm
Thanks, that is a good resource I will take a look
January 17, 2025 at 10:38 am
We are self hosting sql servers, we are not using Azure for sql servers. and we would like to do encryption on data that is at rest for multiple sql servers that has multiple databases. I understand using TDE includes Encryption for data files and backup files. My question is since we have multiple servers with multiple databases, and we also have dev, test, prod... servers, we have to do this for each of the database and backup file. Is there a way to do the TDE encryption at instance level, that will encrypted all the databases on the server? or we have to manually to create master key, certificate and Database key for each database? That sounds a maintenance complexity for day to day use of those databases.
The DMK you'll create only once per instance as there can be only 1 for master.
With regard to the certs and DEKs, you could use the same cert for all dbs or you may want to use separate certs per db.
For the DEK they are always created per db each time
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs"
January 17, 2025 at 8:38 pm
There are products available that will encrypt the data at a folder/volume level - so any file in that folder will be encrypted. They are not inexpensive - but they can save on having to implement TDE on every database.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
January 17, 2025 at 8:50 pm
Thanks that is good to know.
Indeed when our cyber support to ask to encrypt all the databases on all the sql servers, I feel this got to have better ways.
For now if use TDE, we have to encrypt every database on every server, both prod and non-prod servers. This created a lot of maintenance work for DBAs, esp, at the disaster recovery time, it could create some risks.
Could you recommend or name a couple of products for SQL server that can do at data file level or folder level, so that I can do some research?
Thanks
January 18, 2025 at 3:41 pm
CipherTrust is one - you can search for others.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply
This website stores cookies on your computer.
These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media.
To find out more about the cookies we use, see our Privacy Policy