TDE for multiple databases and severs

  • We are self hosting sql servers, we are not using Azure for sql servers. and we would like to do encryption on data that is at rest for multiple sql servers that has multiple databases. I understand using TDE includes Encryption for data files and backup files. My question is since we have multiple servers with multiple databases, and we also have dev, test, prod... servers, we have to do this for each of the database and backup file. Is there a way to do the TDE encryption at instance level, that will encrypted all the databases on the server? or we have to manually to create master key, certificate and Database key for each database? That sounds a maintenance complexity for day to day use of those databases.

     

  • Hi

    just take a look at this stairway:

    https://www.sqlservercentral.com/stairways/stairway-to-transparent-data-encryption-tde

    Good luck,

    Andreas

  • Thanks, that is a good resource I will take a look

  • sqlfriend wrote:

    We are self hosting sql servers, we are not using Azure for sql servers. and we would like to do encryption on data that is at rest for multiple sql servers that has multiple databases. I understand using TDE includes Encryption for data files and backup files. My question is since we have multiple servers with multiple databases, and we also have dev, test, prod... servers, we have to do this for each of the database and backup file. Is there a way to do the TDE encryption at instance level, that will encrypted all the databases on the server? or we have to manually to create master key, certificate and Database key for each database? That sounds a maintenance complexity for day to day use of those databases.

    The DMK you'll create only once per instance as there can be only 1 for master.

    With regard to the certs and DEKs, you could use the same cert for all dbs or you may want to use separate certs per db.

    For the DEK they are always created per db each time

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • There are products available that will encrypt the data at a folder/volume level - so any file in that folder will be encrypted.  They are not inexpensive - but they can save on having to implement TDE on every database.

    Jeffrey Williams
    “We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”

    ― Charles R. Swindoll

    How to post questions to get better answers faster
    Managing Transaction Logs

  • Thanks that is good to know.

    Indeed when our cyber support to ask to encrypt all the databases on all the sql servers, I feel this got to have better ways.

    For now if use TDE, we have to encrypt every database on every server, both prod and non-prod servers. This created a lot of maintenance work for DBAs, esp, at the disaster recovery time, it could create some risks.

    Could you recommend or name  a couple of products for SQL server that can do at data file level or folder level, so that I can do some research?

    Thanks

  • CipherTrust is one - you can search for others.

    Jeffrey Williams
    “We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”

    ― Charles R. Swindoll

    How to post questions to get better answers faster
    Managing Transaction Logs

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply