-
RDS Encryption versus Transparent Data Encryption (TDE) for SQL Server
updated 3 years, 11 months ago
2 Members
·
4
Posts
-
I don’t understand the reason stated that RDS Encryption is not the right choice as “It doesn’t automatically encrypt data before it is written to storage, nor automatically decrypt data when it is read from storage.”
According to AWS documentation “Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.”
Does this mean the data is first written unencrypted to storage, and then at a later time only encrypted while it is already on the storage (and this all transparently of course)?Also Googling a bit, I found this article that states ‘they are pretty much the same” (only difference is the DB backup encryption & costs). I didn’t find any other articles that clearly stated the pro’s/con’s (differences) between RDS Encryption and TDE.
Of course you might be used to using TDE in your on-premise SQL Server environment, and that might be a reason to continue with it (more of a business reason almost), but that wasn’t explicitly mentioned like that.
Only ‘automatically encrypt data before it is written to storage, and automatically decrypt data when the data is read from storage’ is stated which can be found literally like that on the AWS documentation page regarding TDE indeed.
But that is a bit of a weak argumentation here I think, as it’s from a technical point of view not clear to me why RDS Encryption doesn’t fit / why TDE would be better.If there’s a webpage or somebody that can explain that clearly to me, I would be happy to see that.
Kind regards,
Robert -
Hi Robert,
Thank you for posting your question. Just as you said, the official web page / AWS documentation that you are looking for is already provided in the detailed explanation and the reference links.
Indeed, TDE and RDS Encryption are two seemingly similar features. You can also use them together. The latter doesn’t support SQL Server Express Edition, although this is not the type of database mentioned in the question.
The scenario says:
A web application is currently using an on-premises Microsoft SQL Server 2017 Enterprise Edition database. Your manager instructed you to migrate the application to Elastic Beanstalk and the database to RDS. For additional security, you must configure your database to automatically encrypt data before it is written to storage, and automatically decrypt data when the data is read from storage.
Which of the following services will you use to achieve this?
Take note of the key phrase here: “automatically encrypt data before it is written to storage, and automatically decrypt data when the data is read from storage.”
The provided answer is:
Enable Transparent Data Encryption (TDE).
The incorrect option that you are referring to is this:
Enable RDS Encryption.
The rationale for the incorrect option in the explanation says:
… this simply encrypts your Amazon RDS DB instances and snapshots at rest. It doesn’t automatically encrypt data before it is written to storage, nor automatically decrypt data when it is read from storage.
The explanation has the following screenshot as well, that contains the above key phrase:
https://udemy-images.s3.amazonaws.com/redactor/raw/2019-06-26_06-40-30-6f92efec7d7944f7a2698921f8ac94cc.png
The official AWS documentation says:
Amazon RDS supports using Transparent Data Encryption (TDE) to encrypt stored data on your DB instances running Microsoft SQL Server. TDE automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.SQLServer.Options.TDE.html
The similarity of the wording in the scenario and the description of TDE is notable and in my opinion, not a weak argument as it’s almost verbatim.
In fact, the capability to “automatically encrypts data before it is written to storage” is unique to TDE: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
RDS Encryption is using KMS to manage the encryption keys. The data must be written to storage first before RDS can do start the encryption. Hence, it encrypts the data AFTER it is written to storage, which is the exact opposite of what TDE is doing.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo
-
Hello Jon,
Thanks for the exhaustive reply.
They key sentence in your reply to me is
“RDS Encryption is using KMS to manage the encryption keys. The data must be written to storage first before RDS can do start the encryption. Hence, it encrypts the data AFTER it is written to storage, which is the exact opposite of what TDE is doing.”
As this is answering my question “Does this mean the data is first written unencrypted to storage, and then at a later time only encrypted while it is already on the storage (and this all transparently of course)?”
Apparently it is, although I could very well image that it would be a kind of streaming (in-memory) operation: the API call to write/put data to the database, which would then be streamed to an encryption API call, after which it would be written to storage.
Do you have any AWS documentation links about these technical details?
Would be interesting. I couldn’t find anything (yet).Thanks,
Robert -
Hi Robert,
I did the honors and raised a pull-request to the AWS Documentation team: https://github.com/awsdocs/amazon-rds-user-guide/pull/102
Cheers,
Jon Bonso
Log in to reply.