Transparent Data Encryption vs Always Encrypted

SQL Server and SQL Database both support Transparent Data Encryption (TDE) and Always Encrypted encryption methods. Encryption, in general, protects data against unwanted access in a variety of contexts. They are complementing characteristics, and this blog article will present a side-by-side comparison to assist in deciding which technology to use and how to combine them to provide multilayer security.

Transparent Data Encryption

The function of TDE is to add a layer of protection to data at rest by preventing offline access to raw files or backups. Common situations include data center theft or insecure disposal of hardware or media such as disk drives and backup tapes. See Feature Spotlight: Transparent Data Encryption for a more in-depth look at how TDE safeguards against the danger of hostile parties attempting to restore stolen databases: data, snapshots, log files, backups, or copies, as well as TDE recommended practices (TDE).

Enabling TDE on databases allows you to comply with many laws, regulations, and security requirements that require data to be encrypted at rest across multiple industries. There should be no need to disable TDE unless the data stored in a SQL database has no protection requirements at all.

Always Encrypted

Always Encrypted is one of the benefits of transparent data encryption, a feature designed to prevent database administrators, administrators of machines hosting SQL Server instances, and SQL Database administrators from accessing sensitive data stored in SQL Database or SQL Server databases. Data in the database is safe even if the entire system is compromised, such as by malware. Always Encrypted makes use of consumer-side encryption, in which a database driver embedded within an app transparently encrypts data before forwarding it to the database. Similarly, the driver decrypts encrypted data returned by the query.

Always Encrypted separates people who own the data (and can view it) from those who administer the data by safeguarding it against high-privilege users who have no "need-to-know" (but should have no access). Customers may now store sensitive data in the cloud with confidence, delegate on-premises database management to third parties, and minimize security clearance requirements for their own DBA team.

Unlike TDE, applications are only partly transparent to this. Although the consumer driver transparently decrypts and encrypts data, the app may need to be changed to comply with Always Encrypted requirements/limitations. Always Encrypted, for example, only allows a few actions on encrypted database fields.