How can I activate the transparent data encryption

Support for transparent data encryption in SQL Server

Amazon RDS supports the use of Transparent Data Encryption (TDE) to encrypt data stored on your DB instances with Microsoft SQL Server. TDE automatically encrypts the data before it is written to memory and automatically decrypts it when the data is read from memory.

Amazon RDS supports TDE for the following SQL Server versions and editions:

  • SQL Server 2019: Standard and Enterprise Editions

  • SQL Server 2017 Enterprise Edition

  • SQL Server 2016 Enterprise Edition

  • SQL Server 2014 Enterprise Edition

  • SQL Server 2012 Enterprise Edition

Transparent Data Encryption for SQL Server manages encryption keys using a two-tier key architecture. A certificate that is generated from the database master key is used to protect the data encryption key. The database encryption key performs the actual encryption and decryption of the data on the user database. Amazon RDS secures and manages the database master key and the TDE certificate.

RDS does not support the export of TDE certificates.

Transparent Data Encryption is used in scenarios where you need to encrypt sensitive data. For example, when you want to make data files and backups available to a third party, or in cases or where there are security-related questions about legal compliance. You cannot encrypt the system databases for SQL Server, such as: B. or databases.

You can create native backups of TDE-enabled databases, but you cannot restore these backups to local databases.

An in-depth discussion of Transparent Data Encryption is beyond the scope of this guide, but you should understand the security strengths and weaknesses of each encryption algorithm and key. For more information about transparent data encryption for SQL Server, see Transparent Data Encryption (TDE) on the Microsoft website.

Activate TDE

To enable Transparent Data Encryption for an RDS for SQL Server DB Instance, specify the TDE option in an RDS option group associated with that DB Instance.

  1. Determine whether your DB instance is already associated with an option group that has the TDE option. You can use the RDS console, the AWS CLI describe-db-instance command, or the DescribeDBInstances API operation to view the option group to which the DB instance is assigned.

  2. If the DB instance is not assigned to an option group that has TDE enabled, you have two options. You can create an option group and add the TDE option, or you can modify the associated option group and add it to it.

    In the RDS console, the option is called. In the AWS CLI and RDS API it is called.

    For more information on creating or modifying an option group, see Working with Option Groups. For more information about adding an option to an option group, see Adding an Option to an Option Group.

  3. Assign an option group to the DB instance that has the TDE option. For more information about associating a DB instance with an option group, see Modifying an Amazon RDS DB Instance.

Encrypt data

When the TDE option is added to an option group, Amazon RDS generates a certificate that is used in the encryption process. You can then use the certificate to execute SQL statements that encrypt data in a database on the DB instance. The following example uses the certificate created by RDS called called which is used to encrypt a database called called.

How long it takes to encrypt a SQL Server database with TDE depends on several factors. This includes the size of the DB instance, whether PIOPS is enabled for the instance, the amount of data, and other factors.

Option group considerations

The TDE option is a persistent option that can only be removed from an option group if all DB instances and backups have been unlinked from the option group. Once you add the TDE option to an option group, the option group can only be associated with DB instances that use TDE. For more information on persistent options in an option group, see Option Groups Overview_.

Since the TDE option is a persistent option, there may be a conflict between the option group and an associated DB instance. You can have a conflict between the option set and an associated DB instance in the following situations:

  • The current option group has the TDE option. You replace it with an option group that does not have the TDE option.

  • You are restoring from a DB snapshot to a new DB instance that does not contain an option group with the TDE option. For more information about this scenario, see Option Group Considerations.

Deactivating TDE

To disable TDE for a DB instance, first ensure that there are no more encrypted objects on the DB instance by either decrypting or deleting the objects. If there are encrypted objects on the DB instance, you cannot disable TDE for the DB instance. When you use the console to remove the TDE option from an option set, the console indicates that processing is in progress. An error event is also generated if the option group is linked to an encrypted DB instance or a DB snapshot.

The following example removes TDE encryption from a database named.

When all objects are decrypted, you have two options. You can modify the DB instance so that it is assigned to an option group without the TDE option. Or you can remove the TDE option from the option group.