Transparent Data Encryption (TDE) is available in the Relational Database Service.

TDE encrypts the data and backup files of a database in real time.

Single and primary/standby instances are supported with MS SQL Server 2017 Enterprise Edition (EE).

Constraints

1. If TDE has been enabled for a single DB instance, the instance cannot be changed to primary/standby DB instances.
2. RDS for SQL Server currently does not support TDE certificate download. To restore data offline using the encrypted .bak file, perform the following operations:
   
   a) Disable TDE for the database. For details, see Configuring Database-Level TDE. 
   b) Create a manual backup for the database. 
   c) Restore data from the manual backup. 
   d) Enable TDE for the database as required.
    
3. Enabling TDE improves data security but affects read and write performance of encrypted databases. Exercise caution when enabling TDE.
4. To migrate on-premises encrypted databases to RDS SQL Server DB instances, you need to disable database-level TDE first.
5. DB instances with the instance-level TDE function enabled cannot be restored from backups to existing DB instances.
6. When enabling the instance-level TDE function or using the stored procedure rds_tde to enable or disable database-level TDE, you are advised not to perform the following operations:

• Delete files from file groups in databases
• Delete databases
• Take databases offline
• Split databases
• Convert databases or file groups to the READ ONLY state
• Run the ALTER DATABASE command
• Create backups
• Start backup for databases or database files
• Start restoration for databases or database files

Further information can be found in the RDS area of the Help Center.