Is data encryption in transit and data encryption at rest compatible RRS feed

  • Question

  • On our 2014 AlwaysOn cluster, we install SSL certificate to enforce data encryption in transit at the instance level.  I.e., we set "Force Encryption" flag to "Yes".  We need to host a 3rd party application that uses TripleDES encryption with hashing (md5) to encrypt image data (and possibly other data.)  Encryption and decryption is done at the client level. Data is stored encrypted in the database.  Is the vendor's encryption of data at rest compatible with our data encryption in transit?  Do you need more information to answer that question?  Thanks.
    Friday, May 3, 2019 7:12 PM

All replies

  • By compatible, do you mean will it be able to read data?  For encryption at rest what are you using....TDE?
    Friday, May 3, 2019 8:38 PM
  • By compatible, do you mean will it be able to read data?

         Yes, with no heavy performance impact.

    For encryption at rest what are you using....TDE?

         I don't know the answer to that.  As I said, the vendor's app does the encryption/decryption at the client, not on the SQL Server.  So I don't know ultimately how the data is stored in SQL.  I only know that I'm not being asked to set up TDE or column-level encryption at the server or database or table level.

    Friday, May 3, 2019 9:17 PM
  • What happenes is that the already encrypted bits are encrypted once more and de-encrypted on arrival. This is no different from if you send something in clear text. It just a bunch of bits. So, yes, it will work.

    Erland Sommarskog, SQL Server MVP,

    Friday, May 3, 2019 9:25 PM
  • Please not that Encryption in Transit as it is implemented using SSL/TLS will encrypt the whole communication with SQL Server. Specifically this includes any command text such as "SELECT x FROM TableZ". The response is encrypted completely as well.

    When you compare this with Always Encrypted you will notice that only the contents of the specifically encrypted columns are encrypted and everything else is still visible over the wire.

    Both is completely transparent to each other and non-exclusive. In other words you can use both layers of defense.

    hope this clarifies


    Andreas Wolter (Blog | Twitter)
    Senior Program Manager SQL Server & Azure Security

    MCSM: Microsoft Certified Solutions Master Data Platform/SQL Server 2012

    Monday, May 13, 2019 3:47 PM