0

How can you encrypt data at rest on Sql Server Web Edition? TDE is apparently not an option, but I don't know what else is available. Any recommendations?

Brandi
  • 177
  • 1
  • 6

2 Answers2

1

What threat are you trying to protect against? Accidental media loss? Server access compromise? Physical hardware loss? The options and solutions vary vastly with the threat being mitigated.

A disk encryption system, like BitLocker, will encrypt the entire disk in a very efficient fashion but it only protects against physical loss of the hardware or accidental loss of the hard drive. A solution like TDE will protect the media (the database files) including backups, and including workload spills in tempdb. File-level encryption (EFS) does not work with SQL Server. More precisely, it works with abysmal performance.

These are the only options that work out of the box for any application. Other solutions include encrypting the data in the application or using the SQL Server cryptographic API (EncryptByKey). But these all require you to design the application specifically for using the cryptographic API (ie. are not transparent).

But again, the most important decision to make is to clearly state the threat you're trying to mitigate.

Wouter
  • 131
  • 1
  • 8
Remus Rusanu
  • 8,283
  • 1
  • 21
  • 23
  • Basically, what I need is TDE, but it only works on Sql Server Enterprise Edition, and we have a remote server using Web Edition. The threat is that the data is private information and should not be seen plain text. I wonder how people encrypted their Sql Server Databases before TDE came along with 2008? I have seen EncryptByKey and DecryptByKey. Seems like it will be a usable option in my case, but I was hoping for more like an alternative to TDE. Oh well, thanks for clarifying. :) – Brandi Jun 30 '10 at 14:18
  • Also, it strikes me as not very secure that the certificate for encrypting and decrypting would be sitting in the database together with the information? – Brandi Jun 30 '10 at 14:50
0

You've always got the option of doing full disk encryption with something like Truecrypt, but you'll have to look at how this affects your server performance.

Dentrasi
  • 3,752
  • 1
  • 24
  • 19