Sql-server – Can anyone recommend an encryption method for ALL user dbs using SQL Server 2016 STANDARD edition

encryptionsql serversql-server-2016standard-edition

Our clients are insisting that we now encrypt ALL their SQL Server data at rest, which must include tempdb. I think I have the following options available –

  • Bitlocker entire drive(s)
  • TDE (but the cost of Enterprise edition breaks our support model for these clients!)
  • Always-Encrypted (but more a GDPR/Personal information solution, not for whole databases) – and cannot then “wildchar” search these fields, which is a requirement.
  • EFS the User databases location on disk
  • Some 3rd party application that does SQL Server encryption
  • Others?

Any recommendations appreciated (for SQL Server 2016 STANDARD edition only)

Best Answer

There are 3rd party tools which replicate TDE functionality.

I have tested the following during an exercise to evaluate whether we can move from Enterprise to Standard Edition:

In both cases, they seem to work by placing a driver between the SQL binaries and the storage layer, and after configuration are transparent to the connecting application. Queries work in the exact same way as for TDE-enabled databases. Once the data leaves the storage, it is unencrypted. It would appear as an unencrypted database to all authenticated connections.

They do cost, but I believe there are trial versions available.

In performance tests (10,000 small insert queries into a clustered index) I found that DBDefence closely mirrored the performance of a TDE-enabled database. Query times for Netlib increased by approx 8%. Obviously your specific scenario may differ.

All my tests were performed on SQL 2016 Standard.

Related Question