SQL Server Transparent Data Encryption vs. NetLib Encryptionizer
By: Jeremy Kadlec | Updated: 2022-06-01 | Comments (1) | Related: > Encryption
Problem
Between the legislation over the years (HIPAA, GLBA, GDPR, CCPA, etc.) and data breaches from large organizations that seem to pop-up in the news on a monthly basis, SQL Server database encryption is critical for our industry. SQL Server ships with a few options for a native encryption implementation (Column Level Encryption, Transparent Data Encryption, Data Masking, Always Encrypted), that all provide value in particular situations, but none of the options all seem to address all of the needs. What is the best way to encrypt our SQL Server data?
Solution
In this article we are going to focus on the common SQL Server encryption needs at most organizations from both a business and technology perspective and how SQL Server Transparent Data Encryption and NetLib Encryptionizer measure up. Let’s dive in.
Compare NetLib Encryptionizer and SQL Server Transparent Data Encryption
| Business \ Technology Needs | NetLib Encryptionizer Capabilities | SQL Server TDE Capabilities |
|---|---|---|
| Supported SQL Server Versions |
SQL Server 7.0 SQL Server 2000 SQL Server 2005 SQL Server 2008 SQL Server 2008 R2 SQL Server 2012 SQL Server 2014 SQL Server 2016 SQL Server 2017 SQL Server 2019 |
SQL Server 2008 SQL Server 2008 R2 SQL Server 2012 SQL Server 2014 SQL Server 2016 SQL Server 2017 SQL Server 2019 |
| Supported SQL Server Editions |
Datacenter Enterprise Standard Web Express Developer LocalDB |
Datacenter Developer Enterprise Standard – SQL Server 2019 only |
| Encrypt User Databases and Transaction Logs | Yes | Yes |
| Encrypt System Databases and Transaction Logs (Master, Model, MSDB and TempDB) | All | TempDB only |
| Encrypt FileStream Enabled Databases | Yes | Not Supported |
| Encrypt Read Only Filegroups | Yes | Not Supported |
| On-Premises SQL Server Instances | Yes | Yes |
| Virtualized SQL Server Instances | VMware, Hyper-V, etc. | VMware, Hyper-V, etc. |
| SQL Server Instances in the Cloud (IaaS) | SQL Server on Windows Azure, SQL Server on AWS | SQL Server on Windows Azure, SQL Server on AWS |
| Database as a Service Support (PaaS) | No – Azure SQL, Azure Synapse Analytics and Amazon RDS | Yes – SQL Azure and Azure Synapse Analytics No – Amazon RDS |
| Highly Secure Data |
FIPS 140-2 Validated AES in three different modes:
Encryption key(s) not stored within any of the SQL Server databases |
AES and Triple DES algorithms
supported
Multiple keys are stored within SQL Server databases on the instance for multiple operations and layers of security Ability to create a Certificate tied to an encryption key for additional security |
| Performance Impact | 3 to 5% performance degradation depending on server resources and workload | 3 to 5% performance degradation depending on server resources and workload |
| Code Changes | No code changes necessary | No code changes necessary |
| Implementation |
Simple point and click
GUI. Command Line and/or script installation and deployment available |
T-SQL deployment with Management Studio updates |
| Deployment Downtime | Requires a maintenance window to perform the initial encryption | Able to deploy with active database sessions |
| Key Management | Ability to bring your own key (BYOK). The Key is not stored in a SQL Server database, but rather can be stored in an encrypted file locally, remotely or in Centralized Key Management. | Complex multi key paradigm including a Service Master Key, Database Master Key and Database Encryption Key |
| Centralized Key Management | Yes – Encryptionizer Key Manager (EKM) enables centralized key management | Not Supported |
| Encrypt Files \ Folders \ Blobs on the SQL Server’s file system | Yes | Not Supported |
| Distribute Encryption with Custom Applications | Yes – Seamless integration with your current SQL Server database deployment model with the addition of an installer and a script file. | Not Supported |
| Encrypted SQL Server Backups |
Yes – During the
initial Encryptionizer configuring you have the ability to enable “Always
Encrypted New Created SQL Server Backups” for All, Some or None of
the databases.
This ensures all SQL Server Full, Differential and Transaction Log backups are written to disk as encrypted files so the data is never compromised online or offline. Encryptionizer even supports the protection of Compressed backups. |
Yes – Encrypted
full, differential and transaction log backups are written to disk, such
that the data would never be compromised while on disk Not Supported - Encrypted Compressed backups |
| Application Encryption | Yes – Encrypt DLL’s for both Managed and Unmanaged code | Not Supported |
| Cost |
Encryptionizer is generally
15 to 20 percent of the licensing cost of upgrading to SQL Server Enterprise
Edition, and is less than half the licensing cost of SQL Server 2019 Standard
Edition.
Deploying and managing Encryptionizer is a low resource intensive process. Volume and OEM licensing is available providing further cost savings. |
Upgrading a single 8-core
server from SQL Server Standard to Enterprise Edition could cost more than
$80,000 USD.
Licensing SQL Server 2019 Standard Edition with an 8-core server could cost over $28,000 USD. Significant Development, DBA and QA resources may be required to upgrade to the latest SQL Server version as well as day to day management. |
Summary
- NetLib’s Encryptionizer seamlessly encrypts user databases, system databases, FileStreams, transaction logs and backups for SQL Server installations on-premises, virtualized and common cloud deployments.
- Further, Encryptionizer encrypts files and folders in Windows as well as Windows Applications (beyond SQL Server such as Exchange, MySQL, Microsoft Access, IIS, Tomcat, Custom Applications, etc.) and Services.
- For software development organizations, Encryptionizer includes an OEM Distribution model to encrypt your SQL Server database, code and external files.
- Encryptionizer accomplishes all of this at a much more affordable price point than upgrading to SQL Server Enterprise Edition.
- Although SQL Server 2019 Standard Edition now supports Transparent Data Encryption, the true cost to upgrade far exceeds the licensing costs andtherefore Encryptionizer is a more cost effective and comprehensive solution.
How does Encryptionizer work?
From an architecture perspective, Encryptionizer has two main components:
- A kernel mode driver running between the SQL Server process and Windows
- A user mode service, called the Key Manager Service (KMS) that delivers encryption keys to the kernel mode driver
To get started Encryptionizer is installed using a GUI or Command Line Interface (CLI) to initially encrypt the selected database files with a specific key. The next step is to “Secure” the Server SQL instance with an encrypted Security Profile that contains the encryption key service name (or full path to the executable) and the encryption key(s) to be used for that instance of SQL Server. Encryptionizer then stores the key and process information in an encrypted file and the Registry. When SQL Server starts, the Encryptionizer Key Manager Service (KMS) decrypts the key information and passes it to the Encryptionizer Kernel Mode driver. After that, the kernel mode driver dynamically decrypts data as it is being read (in memory only – never on disk) and encrypts it to disk as it is being written.
How do I get started with Encryptionizer?
- Learn more about Encryptionizer:
- Get started with Encryptionizer to see how to seamlessly encrypt your enterprise data.
- Have a unique situation, reach out to the NetLib support that pride themselves on timely and comprehensive solutions.
- Enumerate all of the legal, regulatory and SQL Server best practices that
you need to address and how Encryptionizer helps:
- No code changes to completely encrypt your SQL Server databases
- No need to upgrade to SQL Server Enterprise Edition or SQL Server 2019
- Support for all editions and versions of SQL Server as well as the remainder of your Exchange, MySQL, Microsoft Access, IIS, Tomcat, Custom Applications and more
- Simple installation and configuration with an intuitive wizard-based interface to protect your databases in less than an hour
- Encryption for embedded applications such as medical devices that are in the field and need protection
- Put Encryptionizer through its paces in your environment, share the results with your team and determine your next steps.
Next Steps
- Check out these Encryptionizer videos:
- Get your free evaluation version
- Learn more about all of the NetLib solutions
MSSQLTips.com Product Editorial sponsored by NetLib, makers of Encryptionizer.
About the author
Jeremy Kadlec is a Co-Founder, Editor and Author at MSSQLTips.com with more than 300 contributions. He is also the CTO @ Edgewood Solutions and a six-time SQL Server MVP. Jeremy brings 20+ years of SQL Server DBA and Developer experience to the community after earning a bachelor’s degree from SSU and master’s from UMBC.
View all my tips
Article Last Updated: 2022-06-01