14,494 questions
SQL server database encryption step by step
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 78%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
mgmjtech
16
Reputation points
I have a SQL 2016 database server and would like to implement database encryption. Can someone please point me or have the process on how to do this from the start to the end?
1 how to create master key and certificate
2 run the SQL encryption query
please include other steps that I missed.
SQL Server Other
{count} votes
-
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator2021-08-12T21:30:16.16+00:00 What are your requirements for the encryption? There are three ways (at least) to implement encryption in SQL Server, and the aim for these methods are different.
Do you want to protect data at rest - that is, prevent that someone walks away with data file and reads the data elsewhere?
Do you want prevent the DBA from reading sensitive data?
Something else?
If you don't know you want to achieve, you cannot achieve it.
Sign in to comment
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 84%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYM%3C/text%3E%3C/svg%3E)
YufeiShao-msft 7,146 Reputation points2021-08-13T07:37:16.67+00:00 Hi @mgmjtech ,
SQL Server provides the following mechanisms for encryption, you can choose different encryption algorithm to meet your needs:
Asymmetric keys
Symmetric keys
Certificates
Transparent Data Encryption(TDE)
Encrypt a Column of Data:https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-ver15
Always Encrypted: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15
Transact-SQL functions:
create certificate and master key with T-SQL, you can refer to:
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-certificate-transact-sql?view=sql-server-ver15
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-master-key-transact-sql?view=sql-server-ver15According to your question, I guess you want to use TDE.
TDE protects data at rest, which is the data and log files and does real-time I/O encryption and decryption of data and log files. TDE encrypts an entire database using that symmetric key called the database encryption key. The database encryption key is protected by other keys or certificates which are protected either by the database master key or by an asymmetric key stored in an EKM module.
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)