0

We are a small business that host applications and data for clients. Some of our clients are requesting we protect their data with 'encryption at rest' - although it's never very clear if they know what this really means.

The data is currently on an Azure VM running SQL Server Standard.

One option is for us to use TDE but this is only available in SQL Enterprise and the extra licencing cost would be a considerable for us.

The other is to use Azure Disk Encryption on the existing SQL Standard VM for free.

Is there much practical difference in the outcome between using TDE and Disk Encryption when it comes to reassuring the client that their data is encrypted at rest.

What differences should I be considering?

userSteve
  • 1,503
  • 4
  • 20
  • 32

2 Answers2

1

Transparent Data Encryption is what is actually known as encrypting data at rest.

TDE works by performing real-time I/O encryption and decryption of the data and log files (data "at rest"). The database encryption key (DEK) stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module.

Full Disk Encryption is encrypting the whole disk of your VM. That means everything residing on the disk, not only the sql database.

So that's the difference: everything vs the DB only. Since the client asked for DB encryption, any of the 2 is valid and since you can use Azure Disk Encryption for free you could do that.

Overmind
  • 2,970
  • 2
  • 15
  • 24
0

The threat is that somebody can get access to and/or copy the files that make up a SQL database and load them in another SQL server, by-passing all access controls normally imposed by both the front-end application and the SQL server itself.

Disk encryption protects against such access in cases such as stolen or incorrectly disposed/decommissioned hardware and in a cloud environment against others that can get unauthorized access to the complete virtual disk image.

Since disk encryption is transparent (invisible) to the processes and users on both physical and virtual running servers, it does not protect against (unauthorized) data access that is either allowed by or by-passes the normal access controls and file system permissions imposed by the running operating system.

That is where TDE and similar application level encryption adds extra security: even when you can get access to the files on the file-system, you still can't access the data therein without the application encryption/decryption keys.

If enabling TDE is cost prohibitive organisations typically make a risk assessment and document any existing and new measures to sufficiently safeguard the data, to mitigate the risk of data leaks and accept any remaining risks.

HBruijn
  • 72,524
  • 21
  • 127
  • 192