SQL Server Transparent Data Encryption vs. NetLib Encryptionizer


By:   |   Updated: 2019-12-10   |   Comments (1)   |   Related: More > Encryption

Problem

Between the legislation over the years (HIPAA, GLBA, GDPR, CCPA, etc.) and data breaches from large organizations that seem to pop-up in the news on a monthly basis, SQL Server database encryption is critical for our industry.  SQL Server ships with a few options for a native encryption implementation (Column Level Encryption, Transparent Data Encryption, Data Masking, Always Encrypted), that all provide value in particular situations, but none of the options all seem to address all of the needs.  What is the best way to encrypt our SQL Server data?

Solution

In this article we are going to focus on the common SQL Server encryption needs at most organizations from both a business and technology perspective and how SQL Server Transparent Data Encryption and NetLib Encryptionizer measure up.  Let’s dive in.

Compare NetLib Encryptionizer and SQL Server Transparent Data Encryption

Business \ Technology Needs NetLib Encryptionizer Capabilities SQL Server TDE Capabilities
Supported SQL Server Versions SQL Server 7.0
SQL Server 2000
SQL Server 2005
SQL Server 2008
SQL Server 2008 R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
SQL Server 2017
SQL Server 2019
SQL Server 2008
SQL Server 2008 R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
SQL Server 2017
SQL Server 2019
Supported SQL Server Editions Datacenter
Enterprise
Standard
Web
Express
Developer
LocalDB
Datacenter
Developer
Enterprise
Standard – SQL Server 2019 only
Encrypt User Databases and Transaction Logs Yes Yes
Encrypt System Databases and Transaction Logs (Master, Model, MSDB and TempDB) All TempDB only
Encrypt FileStream Enabled Databases Yes Not Supported
Encrypt Read Only Filegroups Yes Not Supported
On-Premises SQL Server Instances Yes Yes
Virtualized SQL Server Instances VMware, Hyper-V, etc. VMware, Hyper-V, etc.
SQL Server Instances in the Cloud (IaaS) SQL Server on Windows Azure, SQL Server on AWS SQL Server on Windows Azure, SQL Server on AWS
Database as a Service Support (PaaS) No – Azure SQL, Azure Synapse Analytics and Amazon RDS Yes – SQL Azure and Azure Synapse Analytics No – Amazon RDS
Highly Secure Data FIPS 140-2 Validated AES in three different modes:
  • AES-ECB - Compatibility with earlier versions of Encryptionizer
  • AES-CBC – Database files and backups
  • AES-CTR - Unstructured data and folders
Key Length: 128-bit or 256-bit

Encryption key(s) not stored within any of the SQL Server databases
AES and Triple DES algorithms supported

Multiple keys are stored within SQL Server databases on the instance for multiple operations and layers of security

Ability to create a Certificate tied to an encryption key for additional security
Performance Impact 3 to 5% performance degradation depending on server resources and workload 3 to 5% performance degradation depending on server resources and workload
Code Changes No code changes necessary No code changes necessary
Implementation Simple point and click GUI. 

Command Line and/or script installation and deployment available
T-SQL deployment with Management Studio updates
Deployment Downtime Requires a maintenance window to perform the initial encryption Able to deploy with active database sessions
Key Management Ability to bring your own key (BYOK). The Key is not stored in a SQL Server database, but rather can be stored in an encrypted file locally, remotely or in Centralized Key Management. Complex multi key paradigm including a Service Master Key, Database Master Key and Database Encryption Key
Centralized Key Management Yes – Encryptionizer Key Manager (EKM) enables centralized key management Not Supported
Encrypt Files \ Folders \ Blobs on the SQL Server’s file system Yes Not Supported
Distribute Encryption with Custom Applications Yes – Seamless integration with your current SQL Server database deployment model with the addition of an installer and a script file. Not Supported
Encrypted SQL Server Backups Yes – During the initial Encryptionizer configuring you have the ability to enable “Always Encrypted New Created SQL Server Backups” for All, Some or None of the databases.

This ensures all SQL Server Full, Differential and Transaction Log backups are written to disk as encrypted files so the data is never compromised online or offline.

Encryptionizer even supports the protection of Compressed backups.
Yes – Encrypted full, differential and transaction log backups are written to disk, such that the data would never be compromised while on disk

Not Supported - Encrypted Compressed backups
Application Encryption Yes – Encrypt DLL’s for both Managed and Unmanaged code Not Supported
Cost Encryptionizer is generally 15 to 20 percent of the licensing cost of upgrading to SQL Server Enterprise Edition, and is less than half the licensing cost of SQL Server 2019 Standard Edition.

Deploying and managing Encryptionizer is a low resource intensive process.

Volume and OEM licensing is available providing further cost savings.
Upgrading a single 8-core server from SQL Server Standard to Enterprise Edition could cost more than $80,000 USD.

Licensing SQL Server 2019 Standard Edition with an 8-core server could cost over $28,000 USD.

Significant Development, DBA and QA resources may be required to upgrade to the latest SQL Server version as well as day to day management.

Summary

  • NetLib’s Encryptionizer seamlessly encrypts user databases, system databases, FileStreams, transaction logs and backups for SQL Server installations on-premises, virtualized and common cloud deployments.
  • Further, Encryptionizer encrypts files and folders in Windows as well as Windows Applications (beyond SQL Server such as Exchange, MySQL, Microsoft Access, IIS, Tomcat, Custom Applications, etc.) and Services.
  • For software development organizations, Encryptionizer includes an OEM Distribution model to encrypt your SQL Server database, code and external files.
  • Encryptionizer accomplishes all of this at a much more affordable price point than upgrading to SQL Server Enterprise Edition.
  • Although SQL Server 2019 Standard Edition now supports Transparent Data Encryption, the true cost to upgrade far exceeds the licensing costs andtherefore Encryptionizer is a more cost effective and comprehensive solution.

How does Encryptionizer work?

From an architecture perspective, Encryptionizer has two main components:

  • A kernel mode driver running between the SQL Server process and Windows
  • A user mode service, called the Key Manager Service (KMS) that delivers encryption keys to the kernel mode driver

To get started Encryptionizer is installed using a GUI or Command Line Interface (CLI) to initially encrypt the selected database files with a specific key. The next step is to “Secure” the Server SQL instance with an encrypted Security Profile that contains the encryption key service name (or full path to the executable) and the encryption key(s) to be used for that instance of SQL Server.  Encryptionizer then stores the key and process information in an encrypted file and the Registry.  When SQL Server starts, the Encryptionizer Key Manager Service (KMS) decrypts the key information and passes it to the Encryptionizer Kernel Mode driver. After that, the kernel mode driver dynamically decrypts data as it is being read (in memory only – never on disk) and encrypts it to disk as it is being written.

How do I get started with Encryptionizer?

  1. Learn more about Encryptionizer:
    1. SQL Server
    2. Developer Versions
    3. Medical Device Encryption
    4. Compliance
  2. Get started with Encryptionizer to see how to seamlessly encrypt your enterprise data.
  3. Have a unique situation, reach out to the NetLib support that pride themselves on timely and comprehensive solutions.
  4. Enumerate all of the legal, regulatory and SQL Server best practices that you need to address and how Encryptionizer helps:
    1. No code changes to completely encrypt your SQL Server databases
    2. No need to upgrade to SQL Server Enterprise Edition or SQL Server 2019
    3. Support for all editions and versions of SQL Server as well as the remainder of your Exchange, MySQL, Microsoft Access, IIS, Tomcat, Custom Applications and more
    4. Simple installation and configuration with an intuitive wizard-based interface to protect your databases in less than an hour
    5. Encryption for embedded applications such as medical devices that are in the field and need protection
  5. Put Encryptionizer through its paces in your environment, share the results with your team and determine your next steps.
Next Steps

MSSQLTips.com Product Editorial sponsored by NetLib, makers of Encryptionizer.



Last Updated: 2019-12-10


get scripts

next tip button



About the author
MSSQLTips author Jeremy Kadlec Jeremy Kadlec is the Co-Founder, Editor and Author at MSSQLTips.com, CTO @ Edgewood Solutions and a six time SQL Server MVP.

View all my tips




More SQL Server Solutions











Post a comment or let the author know this tip helped.

All comments are reviewed, so stay on subject or we may delete your comment. Note: your email address is not published. Required fields are marked with an asterisk (*).

*Name
*Email
Email me updates

Signup for our newsletter

I agree by submitting my data to receive communications, account updates and/or special offers about SQL Server from MSSQLTips and/or its Sponsors. I have read the privacy statement and understand I may unsubscribe at any time.





Tuesday, December 10, 2019 - 5:00:56 PM - Kyle Back To Top

We've been using Netlib for about three years now, and have not had any problems with it.



download


Recommended Reading

Storing passwords in a secure way in a SQL Server database

SQL Server Column Level Encryption Example using Symmetric Keys

Encrypting and Decrypting SQL Server Stored Procedures, Views and User-Defined Functions

Where Does SQL Server Store Its Certificates

Encryption Protection for your Application and SQL Databases





get free sql tips
agree to terms


Learn more about SQL Server tools