![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 12%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
1,923 questions
Sounds like you should checkout dbatools.io to see if they have something to help you to automate this.
The critical thing is of course to keep track of all certificates so that you don't loose them. I don't have any experience of this myself, since I am not in a DBA role.
I recommend that you start with some test systems you can afford to lose, so that you get a grip of the operation. That should of course include AGs.
It is also worth mentioning that the value of TDE is of somewhat limited nature. If an intruder gains access to the machine, the intruder also has access to the key chain that is needed to decrypt the database. However, if the database files are on a SAN, and an attacker only has access to the SAN, the attacker cannot do anything with the files.
The backups will be encrypted and that is important, but that can be achieved without TDE, I believe.
