TDE vs列加密

SQL Server 2008引入了一个很棒的新特性TDE，即透明数据加密。它允许数据库完全加密，而无需更改访问它的应用程序。它被称为“静止数据”的加密。但是动态数据呢?这就是列级加密能够提供端到端加密的地方。使用TDE，每个数据页在写入磁盘时被加密，从磁盘读取时被解密。这提供了额外的物理级别的安全性，因此，如果磁盘驱动器落入坏人之手，数据将受到强大加密的保护。这也适用于备份磁带，因为从技术上讲，备份是磁盘上加密数据页的副本。主密钥和相关证书分别备份，提供了额外的安全级别。一个主要的权衡是，即使只有一个数据库启用了TDE, TempDB也会被加密。 This has performance implications. Because the application does not have to change, this is ideal for package databases provided by third-parties. Column-level (or “cell-level”) encryption was introduced with SQL Server 2005. We can encrypt individual columns that are sensitive in nature. The trade-off here is that we need to change our database design as the data type we use needs to be varbinary. Also the application has to be changed to use a symmetric key, a certificate and the new functions EncryptByKey and DecryptByKey. There’s also extra administration to allow security for the symmetric keys/certificates and performance again will take a hit. However, when encrypted the columns are encrypted on disk, in memory, across the network, everywhere, until we choose to decrypt the data in the application. Database Encryption in SQL Server 2008: http://msdn.microsoft.com/en-us/library/cc278098(SQL.100).aspx I remember when all we could say for SQL Server 2000 was “go purchase encryption software”. Now, at least, we have a few choices. Cheers Brian