Transparent Data Encryption (TDE) is available in the Relational Database Service.
TDE encrypts the data and backup files of a database in real time.
Single and primary/standby instances are supported with MS SQL Server 2017 Enterprise Edition (EE).
- If TDE has been enabled for a single DB instance, the instance cannot be changed to primary/standby DB instances.
- RDS for SQL Server currently does not support TDE certificate download. To restore data offline using the encrypted .bak file, perform the following operations:
a) Disable TDE for the database. For details, see Configuring Database-Level TDE.
b) Create a manual backup for the database.
c) Restore data from the manual backup.
d) Enable TDE for the database as required.
- Enabling TDE improves data security but affects read and write performance of encrypted databases. Exercise caution when enabling TDE.
- To migrate on-premises encrypted databases to RDS SQL Server DB instances, you need to disable database-level TDE first.
- DB instances with the instance-level TDE function enabled cannot be restored from backups to existing DB instances.
- When enabling the instance-level TDE function or using the stored procedure rds_tde to enable or disable database-level TDE, you are advised not to perform the following operations: