We are a small business that host applications and data for clients.
Some of our clients are requesting we protect their data with 'encryption at rest' – although it's never very clear if they know what this really means.
The data is currently on an Azure VM running SQL Server Standard.
One option is for us to use TDE but this is only available in SQL Enterprise and the extra licencing cost would be a considerable for us.
The other is to use Azure Disk Encryption on the existing SQL Standard VM for free.
Is there much practical difference in the outcome between using TDE and Disk Encryption when it comes to reassuring the client that their data is encrypted at rest.
What differences should I be considering?
Best Answer
Transparent Data Encryption is what is actually known as encrypting data at rest.
TDE works by performing real-time I/O encryption and decryption of the data and log files (data "at rest"). The database encryption key (DEK) stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module.
Full Disk Encryption is encrypting the whole disk of your VM. That means everything residing on the disk, not only the sql database.
So that's the difference: everything vs the DB only. Since the client asked for DB encryption, any of the 2 is valid and since you can use Azure Disk Encryption for free you could do that.