TDE, DEK and the LOG

  • Article

Transparent Database Encryption (TDE) was introduced in SQL Server 2008 to allow users to encrypt databases without affecting any applications. Before reading this blog I would suggest reading Sung Hsueh’s whitepaper on TDE and MSDN as it covers a lot of basics. In this blog, or rather series of blog posts I will discuss some topics in a bit more detail, especially those around which we have seen most customer questions. Feel free to suggest anything else that you would like to be a part of this blog; I’ll start off with these topics:

1. Database Encryption Key (DEK) management:

How SQL Server stores, manages and secures DEK(s) and how is used to start up an encrypted database.

2. TDE and the Log:

How the database log is encrypted using TDE and what are its implications.

3. Dependence on old certificates:

How a log can be dependent on an old certificate

Based on the feedback, I can add more specific topics and scenarios. So let me know, if there is something around TDE that you would specifically like to know and I’ll try to accommodate that in this series.