I have an installation of SQL 2016 Enterprise and my boss want to deploy TDE. I googled online and all the instruction said about "you can use a self sign certificate for test/dev purpose". Most guide just said backup the master key and cert and that's it.
I have two SQL Server, they sit on two separate domain. I want to make sure the database encrypted on one server can be restored on the other server.
What is the proper way and step that should be applied to a production server. I think there is more than just creating a self sign cert and back it up somewhere safe.
Best Answer
What you've described is really it. Self-signed keys are just fine for TDE in production as they will not need to be verifiable remotely.
Having said that, using EKM apparently adds another layer of security. See here and here.
But for self-signed, you can test your multi-domain requirement (which I'm quite sure makes no difference) using this info.