ArcMap

Transparent Data Encryption (TDE) for the Workflow Manager workspace in SQL Server

Available with Workflow Manager license.

Complexity:
Beginner
Data Requirement:
ArcGIS Tutorial Data for Desktop

Several precautions can be taken to help secure the database, including designing a secure system, encrypting confidential assets, and building a firewall around the database servers. However, in a scenario where the physical media (such as drives or backup tapes) is stolen, a malicious party can restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned in advance.

Transparent Data Encryption (TDE) enables you to encrypt sensitive data, such as credit card numbers, stored in tables and FileGroups. Encrypted data is transparently decrypted for a database user or application that has access to data. TDE helps protect data stored on media in the event that the storage media or data file is stolen. SQL Server uses authentication, authorization, and auditing mechanisms to secure data in the database but not in the operating system data files where data is stored. To protect these data files, SQL Server provides TDE. TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database.

TDE performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an Extensible Key Management (EKM) module. TDE protects data at rest, meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries. This enables software developers to encrypt data using American Encryption Standard (AES) and 3DES encryption algorithms without changing existing applications.

Database files are encrypted at the page level. The pages in an encrypted database are encrypted before they are written to disk and decrypted when read into memory. TDE does not increase the size of the encrypted database.

Benefits of using TDE

  • As a security administrator, you can be sure sensitive data is safe in the event that the storage media or data file is stolen.
  • Implementing TDE helps you address security-related regulatory compliance issues.
  • You do not need to create triggers or views to decrypt data for the authorized user or application. Data from tables is transparently decrypted for the database user and application.
  • Database users and applications need not be aware that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and applications.
  • Applications need not be modified to handle encrypted data. Data encryption and decryption are managed by the database.
  • Key management operations are automated. The user or application does not need to manage encryption keys.

Learn more about TDE

To use TDE, follow these steps in SQL Server Management Studio.

  1. Create a master key.
  2. Create or obtain a certificate protected by the master key.
  3. Create a database encryption key and protect it by the certificate.
  4. Set the database to use encryption.

Example of TDE

You can use the SQL commands below to configure TDE. You can choose the password for the master key, and when backing up the master key, you can choose the folder and file name.

TDE example

USE master
GO
/* Verify master key */
SELECT * FR