Configuring the TDE Function

Transparent Data Encryption (TDE) encrypts data files and backup files using certificates to implement real-time I/O encryption and decryption. This function effectively protects the security of databases and data files.

Currently, the TDE function supports single and primary/standby DB instances of the Microsoft SQL Server editions listed in Table 1.

Table 1 SQL Server editions that support the TDE function

DB Instance Type

Editions Support for TDE

Primary/Standby (1/1)
  • 2017 SE
  • 2019 SE

Single DB instances
  • 2017 SE
  • 2019 SE

Cluster
  • 2017 EE
  • 2019 EE

Constraints

  1. If TDE has been enabled for a single DB instance, the instance cannot be changed to primary/standby DB instances.
  2. RDS for SQL Server currently does not support TDE certificate download. To restore data offline using the encrypted .bak file, perform the following operations:
    1. Disable TDE for the database. For details, see Configuring Database-Level TDE.
    2. Create a manual backup for the database.
    3. Restore data from the manual backup.
    4. Enable TDE for the database as required.
  3. Enabling TDE improves data security but affects read and write performance of encrypted databases. Exercise caution when enabling TDE.
  4. To migrate on-premises encrypted databases to RDS SQL Server DB instances, you need to disable database-level TDE first.
  5. DB instances with the instance-level TDE function enabled cannot be restored from backups to existing DB instances.
  6. When enabling the instance-level TDE function or using the stored procedure rds_tde to enable or disable database-level TDE, you are advised not to perform the following operations:
    • Delete files from file groups in databases.
    • Delete databases.
    • Take databases offline
    • Split databases.
    • Convert databases or file groups to the READ ONLY state.
    • Run the ALTER DATABASE command.
    • Create backups.
    • Start backup for databases or database files.
    • Start restoration for databases or database files.

Enabling Instance-Level TDE

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and a project.
  3. Click Service List. Under Database, click Relational Database Service. The RDS console is displayed.
  4. On the Instances page, click the target DB instance.
  5. In the DB Information area, click in the TDE field to enable TDE.

Configuring Database-Level TDE

Before enabling the database-level TDE function, ensure that the instance-level TDE function has been enabled.

  1. Connect to the target DB instance.
  2. Use the stored procedure rds_tde to enable, disable, or query the database-level TDE status.

    exec master.dbo.rds_tde DatabaseName,TDE_Action

    • DatabaseName: indicates the target database name, which can be null.
    • TDE_Action:
      • The value -1 indicates that the database encryption status is queried.

        If DatabaseName is null, the encryption status of all databases is returned.

      • The value 0 indicates that the TDE function is disabled.
      • The value 1 indicates that the TDE function is enabled.
    1. Enable TDE for database db1.

      exec master.dbo.rds_tde db1, 1

      Figure 1 Enabling TDE
    2. Disable TDE for database db1.

      exec master.dbo.rds_tde db1, 0

      Figure 2 Disabling TDE
    3. Query the TDE status of database db1.

      exec master.dbo.rds_tde db1, -1

      Figure 3 Querying the TDE status (Enabled)
      Figure 4 Querying the TDE status (Disabled)
    4. Query the TDE status of all databases.

      exec master.dbo.rds_tde null, -1

      Figure 5 Querying the TDE status of all databases

Parent topic: Data Security