patternsqlMinor
Can anyone recommend an encryption method for ALL user dbs using SQL Server 2016 STANDARD edition?
Viewed 0 times
anyoneencryptioncandbsmethodallsqluserserverstandard
Problem
Our clients are insisting that we now encrypt ALL their SQL Server data at rest, which must include tempdb. I think I have the following options available –
Any recommendations appreciated (for SQL Server 2016 STANDARD edition only)
- Bitlocker entire drive(s)
- TDE (but the cost of Enterprise edition breaks our support model for these clients!)
- Always-Encrypted (but more a GDPR/Personal information solution, not for whole databases) – and cannot then “wildchar” search these fields, which is a requirement.
- EFS the User databases location on disk
- Some 3rd party application that does SQL Server encryption
- Others?
Any recommendations appreciated (for SQL Server 2016 STANDARD edition only)
Solution
There are 3rd party tools which replicate TDE functionality.
I have tested the following during an exercise to evaluate whether we can move from Enterprise to Standard Edition:
In both cases, they seem to work by placing a driver between the SQL binaries and the storage layer, and after configuration are transparent to the connecting application. Queries work in the exact same way as for TDE-enabled databases. Once the data leaves the storage, it is unencrypted. It would appear as an unencrypted database to all authenticated connections.
They do cost, but I believe there are trial versions available.
In performance tests (10,000 small insert queries into a clustered index) I found that DBDefence closely mirrored the performance of a TDE-enabled database. Query times for Netlib increased by approx 8%. Obviously your specific scenario may differ.
All my tests were performed on SQL 2016 Standard.
I have tested the following during an exercise to evaluate whether we can move from Enterprise to Standard Edition:
- https://www.database-encryption.com/
- https://netlibsecurity.com/
In both cases, they seem to work by placing a driver between the SQL binaries and the storage layer, and after configuration are transparent to the connecting application. Queries work in the exact same way as for TDE-enabled databases. Once the data leaves the storage, it is unencrypted. It would appear as an unencrypted database to all authenticated connections.
They do cost, but I believe there are trial versions available.
In performance tests (10,000 small insert queries into a clustered index) I found that DBDefence closely mirrored the performance of a TDE-enabled database. Query times for Netlib increased by approx 8%. Obviously your specific scenario may differ.
All my tests were performed on SQL 2016 Standard.
Context
StackExchange Database Administrators Q#200475, answer score: 6
Revisions (0)
No revisions yet.