Matthew McGiffen explains one area of limitation with transparent data encryption:
TDE encrypts data stored on the file system, so it should be pretty clear that we are trying to protect ourselves from an attacker who gets access to our files. You would be right in suggesting that shouldn’t be allowed to happen. Access controls should be in place to prevent inappropriate access. The reality though is that sometimes we get hacked and someone is able to work around our access controls. Sometimes backup files are stored offsite with a different organization where we do not control the access. That is why we have encryption – encryption is an extra line of defense. TDE offers no protection however against individuals who have direct access to query the database.
Let’s say someone does get access to our files – does TDE mean we are still sufficiently protected?
My problem with TDE is something Simon McCauliffe wrote about a few years back (Wayback Machine link because the actual site went down in 2020): if you have root-level access to the server, you can ultimately get access to all of the keys to break TDE. I suppose the level of effort involved is high and that will mitigate the risk, but it’s always there.
I cover the issue Simon McCauliffe talks about in an old post on my blog but will be covering it gain in a few posts. It’s something you can mitigate by applying appropriate permissions over the root keys on your server. Those with admin rights can break down TDE anyway, so if you make sure only admins can access the root keys then you maintain the same level of protection.
Great. I’m definitely looking forward to that post and will be sure to link it..