Skip to main content
Our Tech Ideas

Understanding Transparent Data Encryption (TDE) in SQL Server

Adding a TDE-Enabled Database to an Always On Availability Group

Understanding Transparent Data Encryption (TDE)

SQL Server offers various encryption mechanisms to secure data, and Transparent Data Encryption (TDE) is one of the prominent features. TDE provides real-time encryption and decryption of the data and log files without requiring changes to the application. However, for more granular control, SQL Server also supports column-level encryption, which allows individual columns to be encrypted within a table.

In this blog, we will explore column-level encryption with an example to demonstrate how to secure sensitive data in SQL Server.

Step-by-Step Example for Column-Level Encryption

1. Creating a Master Key

First, we need to create a master key. The master key is a symmetric key used to protect the private keys of certificates and asymmetric keys in the database.

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'StrongPassword123';
SQL

2. Creating a Certificate

Next, we create a certificate that will be used to encrypt the symmetric key. Certificates are database-level security objects in SQL Server.

CREATE CERTIFICATE MyCertificate WITH SUBJECT = 'My Certificate';
SQL

3. Creating a Symmetric Key

Now, we create a symmetric key. Symmetric keys are used for the actual encryption of data. Here, we use the AES_256 algorithm, which is a strong encryption standard.

CREATE SYMMETRIC KEY MySymmetricKey
    WITH ALGORITHM = AES_256
    ENCRYPTION BY CERTIFICATE MyCertificate;
SQL

4. Encrypting Data in a Table

To encrypt data, we need to open the symmetric key, use it to encrypt the data, and then store the encrypted data in the table.

-- Opening the symmetric key
OPEN SYMMETRIC KEY MySymmetricKey
    DECRYPTION BY CERTIFICATE MyCertificate;

-- Updating the table with encrypted data
UPDATE dbo.YourTable
SET EncryptedColumn = EncryptByKey(Key_GUID('MySymmetricKey'), 'SensitiveData');
SQL

In this example, ‘SensitiveData’ is the data we want to encrypt, and EncryptedColumn is the column in the dbo.YourTable table where the encrypted data will be stored.

5. Decrypting Data

To decrypt the data, we again open the symmetric key and use it to decrypt the data. The decrypted data can then be selected from the table.

-- Decrypting data
SELECT CONVERT(varchar, DecryptByKey(EncryptedColumn)) AS DecryptedData
FROM dbo.YourTable;

-- Closing the symmetric key
CLOSE SYMMETRIC KEY MySymmetricKey;
SQL

In this query, the DecryptByKey function is used to decrypt the data stored in EncryptedColumn, and the CONVERT function is used to cast the decrypted binary data back to a readable format.

Conclusion

Column-level encryption in SQL Server provides a robust mechanism to protect sensitive data at a granular level. By following the steps outlined above, you can ensure that sensitive information is encrypted and decrypted securely within your SQL Server database.

Using Transparent Data Encryption (TDE) alongside column-level encryption can offer comprehensive security for your data, ensuring both the database files and individual pieces of sensitive information are protected.

Note: Always use strong passwords and encryption algorithms to enhance security. Regularly back up your encryption keys and certificates, and store them in a secure location to prevent data loss.