What is TDE?
Transparent Data Encryption (TDE) is an encryption method known as encrypting data at rest. Using this method the encryption of a database is performed at page level. The process of encrypting/decrypting is handled by the SQL Server. The pages in an encrypted database are encrypted before they are written to disk and decrypted when read into memory.
This type of encryption is transparent to the GFI Product consuming it. SQL server manages all the encryption and decryption process. GFI customers that decide to use TDE will not need to do any further configuration on their products.
Which databases can use TDE?
Transparent Data Encryption can be used with the following databases:
- SQL Server
- Azure SQL Database
- Azure SQL Data Warehouse
- Parallel Data Warehouse
TDE cannot be used with any version of SQL Express
Which GFI Products support TDE?
- GFI Archiver
- GFI OneGuard
- GFI LanGuard
- Exinda Network Orchestrator
How does TDE help GDPR?
GDPR requires data controllers and processors to implement “data protection by design and by default” using appropriate technical and organizational measures (Article 25). This can be demonstrated by an approved certification mechanism (Article 42). More specific security requirements include encryption and pseudonymization.
For further information see https://www.gfi.com/gdpr-compliance
How does TDE work?
TDE performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module. TDE protects data "at rest", meaning the data and log files.
TDE provides the ability to comply with many laws, regulations, and guidelines established in various industries.
TDE cannot only protect data “at rest”, that is while stored in the database. It does not provide encryption across communication channels. To protect data being transmitted over the network you should make use of HTTPS connections.
How do I implement TDE?
To use TDE follow these steps:
- Create a master key.
- Create or obtain a certificate protected by the master key.
- Create a data encryption key and protect it with the certificate.
- Set the database to use encryption.
The following SQL query illustrates the steps described above configuring the GFI LanGuard database LNSSScanResult12 using a certificate named MyServerCert installed in the server and enabling encryption on the database:
USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<MyStrongPassword>'; GO CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate'; GO USE LNSSScanResult12; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE MyServerCert; GO ALTER DATABASE LNSSScanResult12 SET ENCRYPTION ON; GO