AWS Blog

Amazon RDS for Microsoft SQL Server – Transparent Data Encryption (TDE)

by Jeff Barr | on | in Amazon RDS | | Comments

Amazon RDS for Microsoft SQL Server now supports the use of Transparent Data Encryption (TDE). Once enabled, the database instance encrypts data before it is stored in the database and decrypts it after it is retrieved.

You can use this feature in conjunction with our previously announced support for SSL connections to SQL Server to protect data at rest and in transit. You can also create and access your database instances inside of a Virtual Private Cloud in order to have complete control over your networking configuration.

To enable TDE for an Amazon RDS for SQL Server instance, simply specify the TDE option in a Database Option Group that is associated with the instance:

Amazon RDS will generate a certificate that will be used in the encryption process. If running instances are making use of the option group, the certificate will be deployed to the instances.

Then, locate the certificate and encrypt the desired databases using the ALTER DATABASE command.

Here’s how you go about setting things up. First, you locate the certificate using a pattern match:

-- Find a RDSTDECertificate to use  USE [master]  GO  SELECT name FROM sys.certificates WHERE name LIKE 'RDSTDECertificate%'  GO  

Then you switch to your database and create the encryption key using the certificate name from the previous step:

USE [customerDatabase]  GO  -- Create DEK using one of the certificates from the previous step  CREATE DATABASE ENCRYPTION KEY  WITH ALGORITHM = AES_128  ENCRYPTION BY SERVER CERTIFICATE [RDSTDECertificateName]  GO  

And then you encrypt the database:

-- Enable encryption on the database  ALTER DATABASE [customerDatabase]  SET ENCRYPTION ON  GO  

You can verify that the database is encrypted like this:

-- Verify that the database is encrypted  USE [master]  GO  SELECT name FROM sys.databases WHERE is_encrypted = 1  GO  SELECT db_name(database_id) as DatabaseName, * FROM sys.dm_database_encryption_keys  GO  

To learn more about using TDE with Amazon RDS for SQL Server, please visit the Amazon RDS for SQL Server detail page and our documentation.

— Jeff;

PS – If you are running Amazon RDS for Oracle Database, you’ll be happy to know that it also supports Transparent Data Encryption.