Transparent Data Encryption and Always Encrypted

Watch the video to deepen your understanding.
SubscribeComplete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Lesson: Transparent Data Encryption (TDE) vs. Always Encrypted
In the modern landscape of data management, securing sensitive information at rest is no longer optional—it is a regulatory and ethical requirement. When designing relational data storage, architects must choose between different layers of encryption to balance security, performance, and application complexity.
This lesson explores two primary encryption technologies available in relational database systems (specifically Microsoft SQL Server and Azure SQL): Transparent Data Encryption (TDE) and Always Encrypted.
1. Introduction: Protecting Data at Rest
To secure data, we must define what we are protecting against:
- Physical Theft: Someone steals the hard drive or backup files from your data center.
- Unauthorized Access: A database administrator (DBA) or an application user views sensitive data they shouldn't see.
Transparent Data Encryption (TDE) protects against physical theft. It encrypts the entire database file (the "data at rest"). If someone steals the backup file or the physical drive, they cannot attach or restore it without the encryption keys.
Always Encrypted protects against unauthorized access. It ensures that sensitive data is encrypted within the database engine. Even a DBA with full administrative rights cannot see the plain-text data because the encryption and decryption occur solely on the client-side (the application).
2. Transparent Data Encryption (TDE)
How it Works
TDE performs I/O encryption and decryption of the database, backups, and log files. When data is read from the disk, it is decrypted; when written to the disk, it is encrypted. Because this happens at the file level, it is "transparent" to the application.
Practical Example
TDE is usually configured at the database level. Once enabled, the application requires no code changes.
Code Snippet (SQL Server):
-- 1. Create a Master Key in the master database
USE master;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'StrongPassword123!';
-- 2. Create a certificate protected by the master key
CREATE CERTIFICATE TDECert WITH SUBJECT = 'TDE Certificate';
-- 3. Create the Database Encryption Key (DEK)
USE MySecureDB;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE TDECert;
-- 4. Enable encryption
ALTER DATABASE MySecureDB
SET ENCRYPTION ON;
Key Characteristic
TDE secures the storage media. If a malicious actor gains access to the database via a compromised application connection, the data will appear in plain text. TDE does not protect data from users who have legitimate access to the database.
3. Always Encrypted
How it Works
Always Encrypted uses a two-tier key architecture:
- Column Encryption Key (CEK): Encrypts the data in the column.
- Column Master Key (CMK): Protects the CEK.
The database engine never sees the plain-text data. When an application fetches data, the driver uses the CMK (stored in a secure location like Azure Key Vault or Windows Certificate Store) to decrypt the data locally.
Practical Example
Always Encrypted is highly granular. You choose specific sensitive columns (e.g., SocialSecurityNumber, CreditCard) to encrypt.
Code Snippet (Defining an Encrypted Column):
CREATE TABLE Users (
UserID INT PRIMARY KEY,
FullName NVARCHAR(100),
-- Encrypted column using Randomized encryption
SSN NVARCHAR(11) COLLATE Latin1_General_BIN2
ENCRYPTED WITH (
COLUMN_ENCRYPTION_KEY = [MyCEK],
ENCRYPTION_TYPE = Randomized,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256'
)
);
Key Characteristic
Always Encrypted secures the data itself. Even if a DBA performs a SELECT * on the table, they will only see encrypted ciphertext. The application must possess the certificate/key to view the original values.
4. Best Practices and Common Pitfalls
Best Practices
- Use TDE for Compliance: If your organization requires "encryption at rest" for regulatory compliance (HIPAA, PCI-DSS), TDE is the baseline requirement.
- Use Always Encrypted for Highly Sensitive Data: Reserve Always Encrypted for columns containing PII (Personally Identifiable Information) or financial data where you do not trust the database administrators.
- Key Management: Never store keys in the same location as the data. Use a Hardware Security Module (HSM) or cloud-native key vaults (Azure Key Vault, AWS KMS).
- Randomized vs. Deterministic: Use Randomized encryption for maximum security (different ciphertexts for the same input). Use Deterministic only if you need to perform equality searches on the encrypted column.
Common Pitfalls
- Performance Impact: Always Encrypted has a performance overhead due to the cryptographic operations occurring at the application tier.
- Query Limitations: With Always Encrypted, you cannot perform range searches (e.g.,
WHERE Salary > 50000) or pattern matching (LIKE) on encrypted columns. - Backup Management: If you lose the TDE certificate or the Always Encrypted master key, your data is permanently unrecoverable. Always back up your keys separately from your database backups.
5. Key Takeaways
| Feature | Transparent Data Encryption (TDE) | Always Encrypted |
|---|---|---|
| Scope | Entire Database | Specific Columns |
| Primary Threat | Physical theft of files/drives | Unauthorized access by DBAs/Admins |
| App Changes | None | Required (Driver/Key configuration) |
| Performance | Minimal impact | Higher impact |
| Complexity | Low | High |
Summary:
- TDE is your "first line of defense" for protecting files on disk. It is mandatory for most enterprise environments.
- Always Encrypted is your "last line of defense" for protecting sensitive data from privileged users. It requires more planning but offers superior data privacy.
- Security is layered: In a high-security architecture, you should ideally implement both TDE and Always Encrypted to provide defense-in-depth.
Important: Always ensure your key rotation policy is automated. Relying on manual key management is a significant security risk that often leads to data loss if keys are misplaced or expire.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons