This document introduces the Transparent Data Encryption feature of TencentDB for SQL Server.
Feature Overview
Transparent Data Encryption (TDE) is a feature that allows for the encryption and decryption of data to be transparent to the user. TDE provides file-level encryption, supporting real-time I/O encryption and decryption of data files. It can be transparent to applications at the database layer, requiring no modification of business code. Encryption is performed before data is written to the disk, ensuring that data stored on the disk is encrypted. Decryption occurs when data is read from the disk into memory. It means that encryption and decryption are transparently performed during disk data read and write operations and TDE does not increase the size of data files, which meets the compliance requirements for static data encryption.
Use Cases
TDE is usually used to address security and compliance issues in various scenarios, where the static data needs to be protected, such as PCI DSS and CCP compliance.
Functional Limitations
Only supports Tencent Cloud's automatically generated key certificates, user-generated key certificates are not supported.
Keys and certificates cannot be downloaded.
TDE at the instance level can only be enabled and cannot be disabled. Once TDE is enabled, the certificates and keys on the instance cannot be deleted.
TDE at the database level can be enabled or disabled.
All instances under the same account (UIN) have the same encryption certificate, which is used for backup recovery and rollback between different instances.
For instances under different accounts (UIN), if backup recovery and rollback are needed, the encryption certificate under the same account must be referenced.
Business intelligence service instances do not support the enablement of TDE.
Functional Description
The encryption certificate of TDE is an account-level certificate, and each account can only have one certificate, and each account can only have one TDE certificate, indicating that different instances under the same account have the same encryption certificate. This allows you to perform backup restoration and rollback among instances without disabling TDE.
For instances that reference the same encryption certificate, during backup recovery and data migration, if TDE is not enabled for the target instance but is enabled for the source database, then it will be automatically enabled for the target instance without affecting your business, as the certificates are the same under the same account.
If TencentDB for SQL Server database instances are distributed across different Tencent Cloud accounts and require cross-account backup and recovery, select Reference Certificate from Other Accounts as the certificate source when enabling TDE. By doing so, you can ensure that the certificates are the same for the database instances with TDE enabled under different accounts. That is, a root account (UIN) can only have one certificate, and one certificate may be used by multiple root accounts (UIN).
If a master instance is associated with RO instance, you only need to enable data encryption for the instance, and the data encryption for the RO instance will be enabled automatically.
If the instance is associated with a read-only instance or publish/subscribe, disassociate them before enabling or disabling instance TDE at the database level.
After TDE is enabled, data cannot be restored by a backup file offline. To restore it to a local database, you need to disable TDE and create a manual backup to restore data.
Databases encrypted offline cannot be directly migrated to TencentDB for SQL Server instances. You need to first disable the TDE function at the offline database level before migrating.
TDE enhances the data security while compromising the read/write performance of encrypted databases and significantly increasing CPU utilization. Therefore, enable TDE with caution. Inaddition, it is not recommended to enable the TDE function for instances withless than 4 CPU cores.
It may take a long time to enable or disable TDE, during which any operation on the instance is not supported, otherwise, you may fail to enable or disable TDE. We recommend that you perform this operation during the off-peak hours. These tasks include but are not limited to:
Modifying, deleting database, making database offline, detaching database.
Converting database or file group to read-only status.
Backing up database.
Rolling back/restoring database.
Changing data capture (CDC) .
Changing tracking (CT) .
Shrinking database.
Cloning database.
Modifying database permissions.
Note:
If users possess multiple root accounts (UIN), all of which require the enablement of the TDE feature, and subsequent cross-account backup recovery/migration/rollback operations are necessary among different root accounts (UIN), it is imperative to ensure that all root accounts reference the same certificate. That is, after the instance in Account 1 has enabled the TDE feature, the instances in Account 2, Account 3, Account 4, and so forth, must unequivocally reference the encryption certificate of Account 1 when enabling the TDE feature. Otherwise, subsequent cross-account operations (including but not limited to: cross-account rollback, cross-account backup recovery, cross-account migration, etc.) will be unfeasible.
Enabling Instance Transparent Data Encryption
Note:
After enablingTransparent Data Encryption, the encryption certificate is generated by Tencent Cloud, and other encryption certificates not provided by Tencent Cloud cannot be used.
2. Select the region, then in the instance list, click an Instance ID or Manage in the Operation column to enable TDE.
3. In the instance management page, select Data Security > Data Encryption, then click the button to enable the feature, located next to the TDE status.
Note:
The instance-level TDE feature cannot be disabled once enabled.
4. In the pop-up TDE encryption dialog box, there exist three scenarios. You may operate according to the actual scenario.
Scenario One: No Encryption Certificate
Select the source of the certificate, with options to Use Certificate of This Account or Reference Certificate from Other Accounts.
Use Certificate of This Account
Given that the encryption certificate for TDE is an account-level certificate, it implies that this account has not previously enabled TDE for any instance under it. Select to Use Certificate of This Account and click OK.
Reference Certificate from Other Accounts
This denotes the use of encryption certificates from other accounts. Select the option to Reference Certificate from Other Accounts, choose Reference Account, and then click OK.
Note:
If you reference certificate from other accounts, the certificates are the same for the instances with TDE enabled under different accounts. Therefore, cross-account backup and recovery can be smoothly performed, which means that backup files can be used to restore data to database instances under other accounts.
Scenario Two: Use Certificate of This Account
This scenario signifies that the account has previously enabled TDE for a certain instance under the account, and select the certificate source as Use Certificate of This Account. In such circumstances, the certificate source will default to Use Certificate of This Account. Simply clicking OK will enable TDE.
Scenario Three: Reference Certificate from Other Accounts
This scenario signifies that the account has previously enabled TDE for a certain instance under the account, with the certificate source Reference Certificate from Other Accounts. In such circumstances, the certificate source will default to Reference Certificate from Other Accounts. After selecting the Reference Account, you can click OK to enable TDE.
Enabling or Disabling Encrypted Databases
Note:
To enable/disable the TDE feature at the database level for an instance, the instance must not be associated with any read-only instances or publish/subscribe relationships. First, disassociate any read-only instances or publish/subscribe relationships, then enable/disable the TDE feature at the database level, and finally re-add the read-only instances and publish/subscribe relationships.
The prerequisite for setting up an encrypted database is that the Transparent Data Encryption feature of the instance has already been enabled. For the procedure, please refer to Enabling Instance Transparent Data Encryption. 2. Select the region, then in the instance list, click an Instance ID or Manage in the Operation column to enable TDE.
3. In the Instance Management page, select Data Security > Data Encryption, and then click on Settings after encrypting the database.
4. In the pop-up window, select the desired databases from the Unencrypted Database on the left, indicating the enablement of encryption for these databases. Conversely, remove databases from the Encrypted Database on the right, signifying the disablement of encryption for these databases. Click OK after performing operations as required.
5. After enabling the TDE function for a specific database dimension, one can view the databases with encryption functions either enabled or disabled under database management, based on the TDE status field.
Reviewing Tasks
When you enable or disable the instance-level TDE feature or the database-level TDE feature, you can understand the current task progress through the task icon in the upper right corner of the console.
Constraints on Cloud Databases with TDE Feature Enabled during Rollback, Backup Recovery, Migration, and Database Cloning
|
Rollback | Revert to Source Instance | Consistent with the instance certificate, a rollback can be performed. |
| Revert to Other Existing Instances under the Same Account | Certificates initialization is consistent across different instances under the same account. During the rollback process, the system will determine whether the conditions of the source database encryption being disabled or the target instance encryption being enabled are met before proceeding with the rollback. |
| Cross-Regional Rollback | Enable instances with cross-regional backup, synchronizing encrypted cross-regional backup files. Utilizing encrypted cross-regional backups for offsite rollback requires the certificates of instances in different regions under the same account to be uniformly initialized. During the rollback, the system will determine whether the source database has encryption disabled or the target instance has encryption enabled before proceeding with the rollback. |
Clone Database | Clone to Source Instance | Consistent with the instance certificate, cloning can be performed. |
Backup Restoration (Cold Migration) | Restoration to Source Instance from Backup | Consistent with the instance certificate, backup and restoration can be performed. |
| Backup Restoration to Other Existing Instances under the Same Account | When restoring from an encrypted backup file, it is necessary to ensure that the source backup file's encryption has been disabled or the target instance's encryption has been enabled. Therefore, if the source database has enabled TDE encryption and the target instance has not initiated instance-level TDE encryption, the system will automatically enable the instance-level TDE function for the target instance, given that the encryption certificates under the same account are identical. |
| Restoration of Backup to Cross-Account Instances | When restoring from an encrypted backup file, it is necessary to ensure that the source backup file's encryption has been disabled or the target instance's encryption has been enabled. Therefore, if the source database has enabled TDE encryption and the target instance has not initiated instance-level TDE encryption, the system will automatically enable instance-level TDE functionality for the target instance if the source database and target instance under the same account reference the same certificate. However, if the source database and target instance under different accounts reference different certificates, it is required to either disable the encryption of the source database or enable the encryption of the target instance and reference the same certificate before proceeding with the backup restoration. |
Migration with DTS | DTS Migration to Source Instance | Consistent with the instance certificate, migration can be conducted. |
| DTS Migration to Other Existing Instances under the Same Account | When migrating encrypted files, it is necessary to ensure that the source backup file encryption has been disabled or the target instance encryption has been enabled. Therefore, if the source database has enabled TDE encryption and the target instance has not initiated instance-level TDE encryption, the system will automatically enable the instance-level TDE function for the target instance, given that the encryption certificates under the same account are identical. |
| DTS Migration to Cross-Account Instances | Encrypted files, during data migration, necessitate the condition of either the source backup file having encryption disabled or the target instance having encryption enabled to proceed with data migration. Consequently, when the source database has TDE encryption enabled and the target instance does not have instance-level TDE encryption enabled, if the source database and the target instance under the same account reference the same certificate, the system will automatically enable instance-level TDE functionality for the target instance. However, if the source database and the target instance under different accounts reference different certificates, it is required to either disable encryption on the source database or enable encryption on the target instance and reference the same certificate before proceeding with data migration. |
Publish/Subscribe | Link from Source Instance to Other Existing Instances under the Same Region | When publishing and subscribing, the system will determine that the source database encryption must be disable or the target instance encryption must be enable before publishing and subscribing can be performed. |
Was this page helpful?