Amazon RDS for Microsoft SQL Server – Transparent Data Encryption (TDE)
Amazon RDS for Microsoft SQL Server now supports the use of Transparent Data Encryption (TDE). Once enabled, the database instance encrypts data before it is stored in the database and decrypts it after it is retrieved.
You can use this feature in conjunction with our previously announced support for SSL connections to SQL Server to protect data at rest and in transit. You can also create and access your database instances inside of a Virtual Private Cloud in order to have complete control over your networking configuration.
To enable TDE for an Amazon RDS for SQL Server instance, simply specify the TDE option in a Database Option Group that is associated with the instance:
Amazon RDS will generate a certificate that will be used in the encryption process. If running instances are making use of the option group, the certificate will be deployed to the instances.
Then, locate the certificate and encrypt the desired databases using the ALTER DATABASE command.
Here’s how you go about setting things up. First, you locate the certificate using a pattern match:
Then you switch to your database and create the encryption key using the certificate name from the previous step:
And then you encrypt the database:
You can verify that the database is encrypted like this: