Home › Forums › AWS › AWS Certified Developer Associate › RDS Encryption versus Transparent Data Encryption (TDE) for SQL Server › Reply To: RDS Encryption versus Transparent Data Encryption (TDE) for SQL Server
-
Hello Jon,
Thanks for the exhaustive reply.
They key sentence in your reply to me is
“RDS Encryption is using KMS to manage the encryption keys. The data must be written to storage first before RDS can do start the encryption. Hence, it encrypts the data AFTER it is written to storage, which is the exact opposite of what TDE is doing.”
As this is answering my question “Does this mean the data is first written unencrypted to storage, and then at a later time only encrypted while it is already on the storage (and this all transparently of course)?”
Apparently it is, although I could very well image that it would be a kind of streaming (in-memory) operation: the API call to write/put data to the database, which would then be streamed to an encryption API call, after which it would be written to storage.
Do you have any AWS documentation links about these technical details?
Would be interesting. I couldn’t find anything (yet).Thanks,
Robert