Have been reading up on TDE for Azure SQL, it's on by default, you can BYOK via keyvault etc, and you can disable it at the database level.
My question is what are the business/technical reasons why you would disable TDE on an Azure SQL DB? Have done a bit of searching, people are disabling but I can't see why you would?
It has an impact on the DTU usage. TDE has CPU overhead despite it supports the Intel AES-NI hardware acceleration of encryption. What I mean is that some DTUs are needed to encrypt and decrypt data, but I would say you won’t notice impact for the typical query. TDE impact on DTU usage may force you to scale up the service tier and pay more.
Generally, you should not. The only reason it is even optional is that there is a small CPU overhead and that the service was running without it in the past. So, there is a desire from the service to not break anyone who was running close to the limits before for their resource reservation size and having negative impact after turning it on.
The possibility of this is remote, honestly, as the overhead is not large. There are always "outlier" application patterns, however, that may see larger impact enough to cause them problems in production if we just turned it on for everyone.
