Ru, Li Yi
7e1db74ac1
Reviewed-by: Székely, Ond <ond.szekely@t-systems.com> Co-authored-by: Ru, Li Yi <liyiru7@huawei.com> Co-committed-by: Ru, Li Yi <liyiru7@huawei.com>
11 KiB
Configuring the TDE Function
Transparent Data Encryption (TDE) encrypts data files and backup files using certificates to implement real-time I/O encryption and decryption. This function effectively protects the security of databases and data files.
Currently, the TDE function supports single and primary/standby DB instances of the Microsoft SQL Server editions listed in Table 1.
DB Instance Type |
Editions Support for TDE |
|---|---|
Primary/Standby (1/1) |
|
Single DB instances |
|
Cluster |
|
Constraints
- If TDE has been enabled for a single DB instance, the instance cannot be changed to primary/standby DB instances.
- RDS for SQL Server currently does not support TDE certificate download. To restore data offline using the encrypted .bak file, perform the following operations:
- Disable TDE for the database. For details, see Configuring Database-Level TDE.
- Create a manual backup for the database.
- Restore data from the manual backup.
- Enable TDE for the database as required.
- Enabling TDE improves data security but affects read and write performance of encrypted databases. Exercise caution when enabling TDE.
- To migrate on-premises encrypted databases to RDS SQL Server DB instances, you need to disable database-level TDE first.
- DB instances with the instance-level TDE function enabled cannot be restored from backups to existing DB instances.
- When enabling the instance-level TDE function or using the stored procedure rds_tde to enable or disable database-level TDE, you are advised not to perform the following operations:
- Delete files from file groups in databases.
- Delete databases.
- Take databases offline
- Split databases.
- Convert databases or file groups to the READ ONLY state.
- Run the ALTER DATABASE command.
- Create backups.
- Start backup for databases or database files.
- Start restoration for databases or database files.
Enabling Instance-Level TDE
- Log in to the management console.
- Click
in the upper left corner and select a region and a project. - Click Service List. Under Database, click Relational Database Service. The RDS console is displayed.
- On the Instances page, click the target DB instance.
- In the DB Information area, click
in the TDE field to enable TDE.
Configuring Database-Level TDE
Before enabling the database-level TDE function, ensure that the instance-level TDE function has been enabled.
- Connect to the target DB instance.
- Use the stored procedure rds_tde to enable, disable, or query the database-level TDE status.
exec master.dbo.rds_tde DatabaseName,TDE_Action
- DatabaseName: indicates the target database name, which can be null.
- TDE_Action:
- The value -1 indicates that the database encryption status is queried.
If DatabaseName is null, the encryption status of all databases is returned.
- The value 0 indicates that the TDE function is disabled.
- The value 1 indicates that the TDE function is enabled.
- The value -1 indicates that the database encryption status is queried.
- Enable TDE for database db1.
exec master.dbo.rds_tde db1, 1
Figure 1 Enabling TDE
- Disable TDE for database db1.
exec master.dbo.rds_tde db1, 0
Figure 2 Disabling TDE
- Query the TDE status of database db1.
exec master.dbo.rds_tde db1, -1
Figure 3 Querying the TDE status (Enabled)
Figure 4 Querying the TDE status (Disabled)
- Query the TDE status of all databases.
exec master.dbo.rds_tde null, -1
Figure 5 Querying the TDE status of all databases