Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When thinking about data encryption, you should mainly consider three scenarios:
- Encrypt your data at rest, which means encrypting it while it's stored on whatever file storage you use.
- Encrypt your data in transit, which means encrypting data while it travels through private or public network communication channels.
- Encrypt your data in use, which means encrypting it while it's actively used in RAM or CPU caches and registers.
This article shows you the alternatives for encrypting data at rest. Suppose someone steal the physical media, like drives or backup tapes, or the database files. A malicious party can restore or attach the database and browse the data if you don't encrypt it. The following mechanisms give you different possibilities to help prevent this outcome.
Important
Data encryption at rest doesn't provide encryption across communication channels. For more information about how to encrypt data across the communication channel between the database and the Business Central Server, see Enhancing Business Server Security. It also doesn't provide encryption while the data is in use. SQL Server offers the Always Encrypted feature, but Business Central doesn't support it.
Transparent Data Encryption (TDE)
You can use Transparent Data Encryption (TDE) to encrypt SQL Server and Azure SQL Database data files at rest. With TDE you can encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. TDE performs real-time I/O encryption and decryption of the data and log files to protect data at rest. TDE can help the ability to comply with many laws, regulations, and guidelines established in various industries. If a malicious party is able to steal your data files, they still can't use them at all because they need the keys.
Caution
Backup files of databases that have TDE enabled are also encrypted by using the database encryption key. As a result, when you restore these backups, the certificate protecting the database encryption key must be available. This means that in addition to backing up the database, you must make sure that you also maintain backups of the server certificates to prevent data loss. Data loss results if the certificate is no longer available.
For more information about TDE, see Transparent Data Encryption (TDE).
BitLocker Drive Encryption
BitLocker is a volume encryption feature included in Windows Server. It protects at the file volume level so when the database server is online, the volume is unlocked, though not decrypted. If a malicious party is able to steal your whole drive, they still can't attach and use it.
Caution
Detaching or backing up a database to a different volume that isn't protected by BitLocker causes any protection the file currently has to be lost.
Learn more in BitLocker overview and how it applies to Windows Server inInstall BitLocker on Windows Server.
Defense in depth with BitLocker Drive Encryption and Transparent Data Encryption (TDE) combined
BitLocker encrypts the entire drive and is integrated in the OS. The effect is that a user process, like SQL Server, running on the machine can access data on the drive as if it weren't encrypted at all. But if the drive gets stolen, nobody can use the data without access to the key.
On the other hand, if someone gets access to the drive through a network share or another service that shares data from the drive, they can copy data, unless the running SQL Server process locks the file. The copy on the new drive isn't encrypted.
With TDE alone, the database files themselves backup files of the TDE-encrypted databases are encrypted. Therefore, if either file is copied or stolen via a network, as in the previous example, the attacker can't read it. But if the attacker gains access to the whole drive, including SQL Server, they can start SQL Server and read the data using SQL, because SQL Server is doing the decryption for them. Now if both BitLocker and TDE are used concurrently, both data theft vectors are mitigated. Both technologies complement each other, and it's recommended that you use BitLocker together with TDE for defense in depth.
Performance impact
TDE has an estimated performance impact around 3-5% and can be lower if most of the data accessed is stored in memory. The main impact is on the CPU; impact on I/O is smaller impact. Learn more in Encrypting file system.
BitLocker Drive Encryption has a single-digit percentage performance impact as explained in BitLocker FAQ.
Related information
Classifying Data
Data Security
Enhancing Business Server Security
Deploy a Business Central Database to Azure SQL Database
Security and Protection