DEV Community 👩‍💻👨‍💻

Cover image for Does every DBA need to understand Transparent Data Encryption (TDE)?
Lorena C Silva for Vaultree

Posted on • Updated on

Does every DBA need to understand Transparent Data Encryption (TDE)?

Protecting sensitive information requires the latest and most advanced privacy enhancing technologies. Whether you're a DBA or someone who's simply curious about the topic, here's our take on DBA's and Transparent Data Encryption.

A DBA (Database Administrator) is the professional responsible for the creation, installation, monitoring, repair and analysis of the database architecture. They have the responsibility of analysing the banks periodically so that there are no overloads in the system, and also to check that the destination of the servers is correct, according to the company's standardisation and good development practices. In addition to these functions, a DBA can also:

  • Deliver data in perfect integrity and availability
  • Work with the security and development teams
  • Ensure maximum performance for database queries

Cryptography is a technique that can be used to maintain the secrecy and protection of database information. The goal is to use encryption to prevent unauthorised people from gaining access to stored data. Only those with the appropriate encryption key can view it, keeping data safe from malicious individuals, and even malware.

Data at rest

Before we delve into how TDE (Transparent Data Encryption) works, we need to understand the concept of Data at Rest. In short we can say that a data at rest is when data has arrived at a destination and is not being accessed or used. This data can include data classified as structured and unstructured data. Such data can be archive files that are rarely or never changed, without any kind of constancy.

In the context of information security, these types of data are easily accessible to hacker threats to gain access digitally or physically. In order to keep it secure, companies choose to employ security protection measures through encryption, or a combination with key protection.

This type of data is relatively easier to protect compared to data in motion and data in use, but it's important to choose the best preventative measure with care, as it is not in constant use and good practices must also be implemented.

We can conclude that data at rest, is data that has been written to disk, because when written to disk, it creates a protection gap:

  • Any data files for our database
  • Any log files for our database
  • All backup files for the database, be they Full, Log or Differential backups
  • Database snapshot files
  • Any data written to disk in the TempDB database

Image description

Transparent Data Encryption (TDE)

The main purpose of TDE is to protect data by encrypting physical files, i.e. data "at rest". This type of encryption works on SQL Server, Azure Database and Azure SQL Data Warehouse data files.

The development was based so that the whole encryption process was completely transparent to the applications that access and use the database. How? It's quite curious: Advanced Encryption Standard (AES) or Triple DES is used, the file pages are encrypted and then decrypted as the information reaches memory. It puts an end to any limitations on querying data from an encrypted database. One super interesting advantage is that even using complex processing, the size of the database does not increase, it remains constant.

TDE works by using an encryption key that is stored in the database being encrypted - but this key is stored encrypted by an object outside the database. When using TDE the backups of the database are also encrypted, meaning that if something happens to that backup, it can only be restored with the certificate, passwords and keys used during its setup.

During TDE configuration you can specify which AES algorithm you wish to use for encryption: AES_128, AES_192 or AES_256 - The number specifies the length of the key that will be used for encryption in bits. The bigger the key the harder it will be to decrypt. When choosing AES_128, for example, we're talking about more than a thousand years. But at the moment of choosing, the only concern should be how much the technology might evolve in the next few years. So, the remaining question is: X years from now, will it still take a thousand years to decrypt?

Image description

TempDB is encrypted too!

"The tempdb system database is a global resource that holds: Temporary user objects that are explicitly created. They include global or local temporary tables and indexes, temporary stored procedures, table variables, tables returned in table-valued functions, and cursors" - Microsoft Docs

A very interesting feature is that automatically TempDB will be encrypted. After all, all user databases use tempdb to process and store temporary objects. As much as it is not fully viewable, this process demonstrates a great power of security and professionalism during development.


The implementation is easily cited in documentation from Oracle and SQL Server. To demonstrate the simplicity of the process we can understand its operation in the following order:

  1. Creation of the master key
  2. Create certificate protected by master key
  3. Create database encryption key
  4. Activation of encryption
  5. Backing up certificate

DBA Responsibilities

If you are a DBA, there is a good chance that you are in charge of protecting sensitive and/or confidential information. That means also making sure to be aware of the latest and most advanced privacy enhancing technologies to keep data, businesses and individuals safe. We gathered a few articles that might help you on this mission:

At Vaultree we are building an encrypted future. We love sharing valuable information and trends to help you keep your data safe. Sign up to stay in the loop and discuss the hottest trends in cybersec with a team of experts.

Image description

Latest comments (0)

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.