SQL Server Transparent Data Encryption vs. NetLib Encryptionizer

By:   |   Updated: 2022-06-01   |   Comments (1)   |   Related: > Encryption


Between the legislation over the years (HIPAA, GLBA, GDPR, CCPA, etc.) and data breaches from large organizations that seem to pop-up in the news on a monthly basis, SQL Server database encryption is critical for our industry.  SQL Server ships with a few options for a native encryption implementation (Column Level Encryption, Transparent Data Encryption, Data Masking, Always Encrypted), that all provide value in particular situations, but none of the options all seem to address all of the needs.  What is the best way to encrypt our SQL Server data?


In this article we are going to focus on the common SQL Server encryption needs at most organizations from both a business and technology perspective and how SQL Server Transparent Data Encryption and NetLib Encryptionizer measure up.  Let’s dive in.

Compare NetLib Encryptionizer and SQL Server Transparent Data Encryption

Business \ Technology Needs NetLib Encryptionizer Capabilities SQL Server TDE Capabilities
Supported SQL Server Versions SQL Server 7.0
SQL Server 2000
SQL Server 2005
SQL Server 2008
SQL Server 2008 R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
SQL Server 2017
SQL Server 2019
SQL Server 2008
SQL Server 2008 R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
SQL Server 2017
SQL Server 2019
Supported SQL Server Editions Datacenter
Standard – SQL Server 2019 only
Encrypt User Databases and Transaction Logs Yes Yes
Encrypt System Databases and Transaction Logs (Master, Model, MSDB and TempDB) All TempDB only
Encrypt FileStream Enabled Databases Yes Not Supported
Encrypt Read Only Filegroups Yes Not Supported
On-Premises SQL Server Instances Yes Yes
Virtualized SQL Server Instances VMware, Hyper-V, etc. VMware, Hyper-V, etc.
SQL Server Instances in the Cloud (IaaS) SQL Server on Windows Azure, SQL Server on AWS SQL Server on Windows Azure, SQL Server on AWS
Database as a Service Support (PaaS) No – Azure SQL, Azure Synapse Analytics and Amazon RDS Yes – SQL Azure and Azure Synapse Analytics No – Amazon RDS
Highly Secure Data FIPS 140-2 Validated AES in three different modes:
  • AES-ECB - Compatibility with earlier versions of Encryptionizer
  • AES-CBC – Database files and backups
  • AES-CTR - Unstructured data and folders
Key Length: 128-bit or 256-bit

Encryption key(s) not stored within any of the SQL Server databases
AES and Triple DES algorithms supported

Multiple keys are stored within SQL Server databases on the instance for multiple operations and layers of security

Ability to create a Certificate tied to an encryption key for additional security
Performance Impact 3 to 5% performance degradation depending on server resources and workload 3 to 5% performance degradation depending on server resources and workload
Code Changes No code changes necessary No code changes necessary
Implementation Simple point and click GUI. 

Command Line and/or script installation and deployment available
T-SQL deployment with Management Studio updates
Deployment Downtime Requires a maintenance window to perform the initial encryption Able to deploy with active database sessions
Key Management Ability to bring your own key (BYOK). The Key is not stored in a SQL Server database, but rather can be stored in an encrypted file locally, remotely or in Centralized Key Management. Complex multi key paradigm including a Service Master Key, Database Master Key and Database Encryption Key
Centralized Key Management Yes – Encryptionizer Key Manager (EKM) enables centralized key management Not Supported
Encrypt Files \ Folders \ Blobs on the SQL Server’s file system Yes Not Supported
Distribute Encryption with Custom Applications Yes – Seamless integration with your current SQL Server database deployment model with the addition of an installer and a script file. Not Supported
Encrypted SQL Server Backups Yes – During the initial Encryptionizer configuring you have the ability to enable “Always Encrypted New Created SQL Server Backups” for All, Some or None of the databases.

This ensures all SQL Server Full, Differential and Transaction Log backups are written to disk as encrypted files so the data is never compromised online or offline.

Encryptionizer even supports the protection of Compressed backups.
Yes – Encrypted full, differential and transaction log backups are written to disk, such that the data would never be compromised while on disk

Not Supported - Encrypted Compressed backups
Application Encryption Yes – Encrypt DLL’s for both Managed and Unmanaged code Not Supported
Cost Encryptionizer is generally 15 to 20 percent of the licensing cost of upgrading to SQL Server Enterprise Edition, and is less than half the licensing cost of SQL Server 2019 Standard Edition.

Deploying and managing Encryptionizer is a low resource intensive process.

Volume and OEM licensing is available providing further cost savings.
Upgrading a single 8-core server from SQL Server Standard to Enterprise Edition could cost more than $80,000 USD.

Licensing SQL Server 2019 Standard Edition with an 8-core server could cost over $28,000 USD.

Significant Development, DBA and QA resources may be required to upgrade to the latest SQL Server version as well as day to day management.


  • NetLib’s Encryptionizer seamlessly encrypts user databases, system databases, FileStreams, transaction logs and backups for SQL Server installations on-premises, virtualized and common cloud deployments.
  • Further, Encryptionizer encrypts files and folders in Windows as well as Windows Applications (beyond SQL Server such as Exchange, MySQL, Microsoft Access, IIS, Tomcat, Custom Applications, etc.) and Services.
  • For software development organizations, Encryptionizer includes an OEM Distribution model to encrypt your SQL Server database, code and external files.
  • Encryptionizer accomplishes all of this at a much more affordable price point than upgrading to SQL Server Enterprise Edition.
  • Although SQL Server 2019 Standard Edition now supports Transparent Data Encryption, the true cost to upgrade far exceeds the licensing costs andtherefore Encryptionizer is a more cost effective and comprehensive solution.

How does Encryptionizer work?

From an architecture perspective, Encryptionizer has two main components:

  • A kernel mode driver running between the SQL Server process and Windows
  • A user mode service, called the Key Manager Service (KMS) that delivers encryption keys to the kernel mode driver

To get started Encryptionizer is installed using a GUI or Command Line Interface (CLI) to initially encrypt the selected database files with a specific key. The next step is to “Secure” the Server SQL instance with an encrypted Security Profile that contains the encryption key service name (or full path to the executable) and the encryption key(s) to be used for that instance of SQL Server.  Encryptionizer then stores the key and process information in an encrypted file and the Registry.  When SQL Server starts, the Encryptionizer Key Manager Service (KMS) decrypts the key information and passes it to the Encryptionizer Kernel Mode driver. After that, the kernel mode driver dynamically decrypts data as it is being read (in memory only – never on disk) and encrypts it to disk as it is being written.

How do I get started with Encryptionizer?

  1. Learn more about Encryptionizer:
    1. SQL Server
    2. Developer Versions
    3. Medical Device Encryption
    4. Compliance
  2. Get started with Encryptionizer to see how to seamlessly encrypt your enterprise data.
  3. Have a unique situation, reach out to the NetLib support that pride themselves on timely and comprehensive solutions.
  4. Enumerate all of the legal, regulatory and SQL Server best practices that you need to address and how Encryptionizer helps:
    1. No code changes to completely encrypt your SQL Server databases
    2. No need to upgrade to SQL Server Enterprise Edition or SQL Server 2019
    3. Support for all editions and versions of SQL Server as well as the remainder of your Exchange, MySQL, Microsoft Access, IIS, Tomcat, Custom Applications and more
    4. Simple installation and configuration with an intuitive wizard-based interface to protect your databases in less than an hour
    5. Encryption for embedded applications such as medical devices that are in the field and need protection
  5. Put Encryptionizer through its paces in your environment, share the results with your team and determine your next steps.
Next Steps

MSSQLTips.com Product Editorial sponsored by NetLib, makers of Encryptionizer.

About the author
MSSQLTips author Jeremy Kadlec Jeremy Kadlec is a Co-Founder, Editor and Author at MSSQLTips.com with more than 300 contributions. He is also the CTO @ Edgewood Solutions and a six-time SQL Server MVP. Jeremy brings 20+ years of SQL Server DBA and Developer experience to the community after earning a bachelorís degree from SSU and masterís from UMBC.

View all my tips

Article Last Updated: 2022-06-01

Comments For This Article

Tuesday, December 10, 2019 - 5:00:56 PM - Kyle Back To Top (83377)

We've been using Netlib for about three years now, and have not had any problems with it.