03 May,2022 by Tom Collins
Does AWS RDS SQL Server support built-in SQL Server Transparent Data Encryption (TDE)? Yes , is the short answer , but there are some limitations .
Before I dive into the AWS SQL Server RDS TDW limitations , in this post we're discussing SQL Server TDE as opposed to RDS Encryption covering Aurora, MySQL, MariaDB, PostgreSQL, Oracle, SQL Server
RDS SQL Server supports TDE , but there are some limitations placed by AWS :
1) AWS RDS SQL Server doesn't support importing or exporting TDE certificates. If you attempt to execute a CREATE CERTIFICATE statement you will receive a permission restriction message, the same applies if you attempt a BACKUP CERTIFICATE
2) You can create native backups of Transparent Data Encryption (TDE)-enabled databases, but you can't restore those backups to on-premises databases.
3) You can't restore native backups of TDE-enabled on-premises databases onto a AWS RDS SQL Server Instance
4) You can’t restore TDE-encrypted database backups to or from another server.
For migration of on-prem TDE enabled alternatives to backup \ restore , other methods would be required such as :
-disable TDE and then backup\restore ,
-transfer objects straight into db
- DMS
To enable TDE on an AWS RDS SQL Server is similar to on-prem with the same command set . The below sql code is a demo and also to demonstrate the sql code and sequence is similar. One of the significant differences is how TDE is enabled . On an RDS instance the methodology to enable TDE is to associate an option group with the RDS instance i.e create new Option Group – e.g “sqlserver-tde” with option TRANSPARENT_DATA_ENCRYPTION
create database myTDEDB go USE [master] GO SELECT name FROM sys.certificates WHERE name LIKE 'RDSTDECertificate%' ----RDSTDECertificate22222222222 GO USE [myTDEDB] GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE [RDSTDECertificate22222222222] GO ALTER DATABASE [myTDEDB] SET ENCRYPTION ON GO
Read more on TDE
Impact on TDE encryption in progress on SQL Server restart
How to measure Transparent Data Encryption (TDE) Performance
How to measure Transparent Data Encryption (TDE) Performance
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |