Below are some other important factor to take into account before implementing transparent data encryption:
- Using TDE requires a database encryption key (DEK) and any certificate that you may have used for the DEK. You will need this key when restoring your backups.
- If you are using TDE, instant file initialization is disabled. Instant file initialization is a feature of Windows Server 2003 that SQL Server 2005 can take advantage of where database growth times are extremely fast, as the underlying space in the file system does not need to be zeroed out.
If you are log shipping or database mirroring a transparent data encryption database, TDE will need to be enabled on the secondary, or mirror server.
- FILESTREAM data will not be encrypted. FILESTREAM is a feature of SQL Server 2008 where varbinary columns can be stored in the file system and asynchronously streamed to the client.
- Read-only file groups in your database will have to be made writable to enable TDE to encrypt the database contents. They can then be made read-only again.
- Enabling a database for transparent data encryption may take some time, and some database operations will not be enabled during this conversion period. Consult Microsoft’s page on understanding TDE for more information on what these limitations are.
- Replication is “TDE unaware”, and replicated data will not be encrypted. In other words, replication network traffic will be plain text as always, as will the replication snapshot files. The DBA will need to account for this in the compliance effort.
- Full-text indexing will extract textual data from varbinary and image columns into the file system momentarily during the index process. This data will be plain text and not encrypted. Microsoft recommends that you do not full-text index data stored in the varbinary/image columns.
Source:–http://www.sql-server-performance.com/articles/dba/Transparent_Data_Encryption_p1.aspx
Filed under: database | Tagged: TDE, FILESTREAM, database encryption key, SQL Server
