透明資料加密 (TDE)Transparent Data Encryption (TDE)

適用範圍:Applies to: 是SQL ServerSQL Server (所有支援的版本) yesSQL ServerSQL Server (all supported versions) 是Azure SQL DatabaseAzure SQL DatabaseYesAzure SQL DatabaseAzure SQL Database 是Azure SQL 受控執行個體Azure SQL Managed InstanceYesAzure SQL 受控執行個體Azure SQL Managed Instance 是Azure Synapse AnalyticsAzure Synapse AnalyticsyesAzure Synapse AnalyticsAzure Synapse Analytics 是平行處理資料倉儲Parallel Data Warehouseyes平行處理資料倉儲Parallel Data Warehouse適用範圍:Applies to: 是SQL ServerSQL Server (所有支援的版本) yesSQL ServerSQL Server (all supported versions) 是Azure SQL DatabaseAzure SQL DatabaseYesAzure SQL DatabaseAzure SQL Database 是Azure SQL 受控執行個體Azure SQL Managed InstanceYesAzure SQL 受控執行個體Azure SQL Managed Instance 是Azure Synapse AnalyticsAzure Synapse AnalyticsyesAzure Synapse AnalyticsAzure Synapse Analytics 是平行處理資料倉儲Parallel Data Warehouseyes平行處理資料倉儲Parallel Data Warehouse

「透明資料加密」 (TDE) 會加密 SQL ServerSQL ServerAzure SQL DatabaseAzure SQL DatabaseAzure Synapse AnalyticsAzure Synapse Analytics 資料檔案。Transparent Data Encryption (TDE) encrypts SQL ServerSQL Server, Azure SQL DatabaseAzure SQL Database, and Azure Synapse AnalyticsAzure Synapse Analytics data files. 此加密稱為加密待用資料。This encryption is known as encrypting data at rest.

為協助保護資料庫安全,您可採取以下的預防措施:To help secure a database, you can take precautions like:

  • 設計安全的系統。Designing a secure system.
  • 加密機密資產。Encrypting confidential assets.
  • 在資料庫伺服器周圍建置防火牆。Building a firewall around the database servers.

但是竊取磁碟機或備份磁帶等實體媒體的惡意人士,可以還原或附加資料庫,並瀏覽其資料。But a malicious party who steals physical media like drives or backup tapes can restore or attach the database and browse its data.

解決方案之一是加密資料庫中的敏感性資料,並使用憑證來保護加密資料的金鑰。One solution is to encrypt sensitive data in a database and use a certificate to protect the keys that encrypt the data. 這個解決方案可防止沒有金鑰的人使用該資料。This solution prevents anyone without the keys from using the data. 但這種防護必須事先規劃。But you must plan this kind of protection in advance.

TDE 會執行資料和記錄檔的即時 I/O 加密和解密。TDE does real-time I/O encryption and decryption of data and log files. 加密使用資料庫加密金鑰 (DEK)。The encryption uses a database encryption key (DEK). 資料庫開機記錄會儲存金鑰以供復原時使用。The database boot record stores the key for availability during recovery. DEK 是對稱金鑰。The DEK is a symmetric key. 受伺服器 master 資料庫儲存的憑證保護,或受 EKM 模組保護的非對稱金鑰所保護。It's secured by a certificate that the server's master database stores or by an asymmetric key that an EKM module protects.

TDE 會保護待用資料,亦即資料檔和記錄檔。TDE protects data at rest, which is the data and log files. 這讓您必須遵循不同行業建立的許多法令、規章和指導方針。It lets you follow many laws, regulations, and guidelines established in various industries. 此功能可讓軟體開發人員使用 AES 和 3DES 加密演算法來加密資料,而無需變更現有的應用程式。This ability lets software developers encrypt data by using AES and 3DES encryption algorithms without changing existing applications.

關於 TDEAbout TDE

資料庫檔案的加密會在頁面層級執行。Encryption of a database file is done at the page level. 加密資料庫中的頁面會在寫入磁碟前即已加密,並在讀入記憶體時解密。The pages in an encrypted database are encrypted before they're written to disk and are decrypted when read into memory. TDE 不會增加加密資料庫的大小。TDE doesn't increase the size of the encrypted database.

適用於 SQL DatabaseSQL Database 的資訊Information applicable to SQL DatabaseSQL Database

搭配使用 TDE 和 SQL DatabaseSQL Database V12 時,SQL DatabaseSQL Database 會自動建立儲存在 master 資料庫中的伺服器層級憑證。When you use TDE with SQL DatabaseSQL Database V12, SQL DatabaseSQL Database automatically creates for you the server-level certificate stored in the master database. 若要移動 SQL DatabaseSQL Database 上的 TDE 資料庫,無需為移動作業解密資料庫。To move a TDE database on SQL DatabaseSQL Database, you don't have to decrypt the database for the move operation. 如需搭配使用 TDE 和 SQL DatabaseSQL Database 的詳細資訊,請參閱使用 Azure SQL Database 的透明資料加密For more information on using TDE with SQL DatabaseSQL Database, see Transparent Data Encryption with Azure SQL Database.

適用於 SQL ServerSQL Server 的資訊Information applicable to SQL ServerSQL Server

保護資料庫之後,即可使用正確的憑證來還原資料庫。After you secure a database, you can restore it by using the correct certificate. 如需有關憑證的詳細資訊,請參閱< SQL Server Certificates and Asymmetric Keys>。For more information about certificates, see SQL Server Certificates and Asymmetric Keys.

啟用 TDE 之後,請立即備份憑證及其相關聯的私密金鑰。After you enable TDE, immediately back up the certificate and its associated private key. 如果憑證無法使用,或您在另一部伺服器上還原或附加資料庫,則需要使用備份的憑證和私密金鑰。If the certificate becomes unavailable, or if you restore or attach the database on another server, you need backups of the certificate and private key. 否則,即無法開啟資料庫。Otherwise, you can't open the database.

即使資料庫已停用 TDE,仍請保留加密憑證。Keep the encrypting certificate even if you've disabled TDE on the database. 雖然資料庫未加密,但部分交易記錄檔可能仍受到保護。Although the database isn't encrypted, parts of the transaction log might remain protected. 在執行完整資料庫備份之前,執行某些作業可能也需要憑證。You also might need the certificate for some operations until you do a full database backup.

已超過到期日的憑證仍可與 TDE 搭配用來加密和解密資料。You can still use a certificate that exceeds its expiration date to encrypt and decrypt data with TDE.

加密階層Encryption hierarchy

下圖顯示 TDE 加密的架構。The following illustration shows the architecture of TDE encryption. SQL DatabaseSQL Database 上使用 TDE 時,使用者只能設定資料庫層級項目 (資料庫加密金鑰和 ALTER DATABASE 部分)。Only the database-level items (the database encryption key and ALTER DATABASE portions) are user-configurable when you use TDE on SQL DatabaseSQL Database.

透明資料庫加密架構

啟用 TDEEnable TDE

若要使用 TDE,請遵循下列步驟。To use TDE, follow these steps.

適用於SQL ServerSQL ServerApplies to: SQL ServerSQL Server.

  1. 建立建立主要金鑰。Create a master key.

  2. 建立或取得受主要金鑰保護的憑證。Create or obtain a certificate protected by the master key.

  3. 建立資料庫加密金鑰,並使用憑證保護金鑰。Create a database encryption key and protect it by using the certificate.

  4. 設定資料庫以使用加密。Set the database to use encryption.

下例示範使用安裝在伺服器上名為 MyServerCert 的憑證來加密和解密 AdventureWorks2012 資料庫。The following example shows encryption and decryption of the AdventureWorks2012 database using a certificate named MyServerCert that's installed on the server.

USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>';
go
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate';
go
USE AdventureWorks2012;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;
GO
ALTER DATABASE AdventureWorks2012
SET ENCRYPTION ON;
GO

SQL ServerSQL Server會將加密和解密作業排定在背景執行緒上。The encryption and decryption operations are scheduled on background threads by SQL ServerSQL Server. 請使用本文中稍後出現的資料表目錄檢視和動態管理檢視,以檢視這些作業的狀態。To view the status of these operations, use the catalog views and dynamic management views in the table that appears later in this article.

警告

啟用 TDE 的資料庫備份檔案時,也會使用資料庫加密金鑰來加密。Backup files for databases that have TDE enabled are also encrypted with the database encryption key. 因此,當要還原這些備份時,必須可以使用用來保護此資料庫加密金鑰的憑證。As a result, when you restore these backups, the certificate that protects the database encryption key must be available. 所以,除了備份資料庫以外,請務必也要維護伺服器憑證的備份。Therefore, in addition to backing up the database, make sure to maintain backups of the server certificates. 如果無法再使用此憑證,即會遺失資料。Data loss results if the certificates are no longer available.

如需詳細資訊,請參閱 SQL Server Certificates and Asymmetric KeysFor more information, see SQL Server Certificates and Asymmetric Keys.

命令與函式Commands and functions

若要讓下列陳述式接受 TDE 憑證,請使用資料庫主要金鑰來加密憑證。For the following statements to accept TDE certificates, use a database master key to encrypt them. 如果只用密碼來加密憑證,則其陳述式會拒絕將憑證作為加密程式。If you encrypt them by password only, the statements reject them as encryptors.

重要

如果在 TDE 使用憑證後以密碼保護憑證,則在重新開機之後,即無法存取資料庫。If you make the certificates password protected after TDE uses them, the database becomes inaccessible after a restart.

下表提供 TDE 命令與函式的連結及說明:The following table provides links and explanations of TDE commands and functions:

命令或函數Command or function 目的Purpose
CREATE DATABASE ENCRYPTION KEY (Transact-SQL)CREATE DATABASE ENCRYPTION KEY (Transact-SQL) 建立用於加密資料庫的金鑰Creates a key that encrypts a database
ALTER DATABASE ENCRYPTION KEY (Transact-SQL)ALTER DATABASE ENCRYPTION KEY (Transact-SQL) 變更用於加密資料庫的金鑰Changes the key that encrypts a database
DROP DATABASE ENCRYPTION KEY (Transact-SQL)DROP DATABASE ENCRYPTION KEY (Transact-SQL) 移除用於加密資料庫的金鑰Removes the key that encrypts a database
ALTER DATABASE SET 選項 (Transact-SQL)ALTER DATABASE SET Options (Transact-SQL) 說明啟用 TDE 所用的 ALTER DATABASE 選項Explains the ALTER DATABASE option that is used to enable TDE

目錄檢視和動態管理檢視Catalog views and dynamic management views

下表顯示 TDE 目錄檢視和動態管理檢視。The following table shows TDE catalog views and dynamic management views.

目錄檢視或動態管理檢視Catalog view or dynamic management view 目的Purpose
sys.databases (Transact-SQL)sys.databases (Transact-SQL) 顯示資料庫資訊的目錄檢視Catalog view that displays database information
sys.certificates (Transact-SQL)sys.certificates (Transact-SQL) 目錄檢視,其顯示資料庫中的憑證Catalog view that shows the certificates in a database
sys.dm_database_encryption_keys (Transact-SQL)sys.dm_database_encryption_keys (Transact-SQL) 動態管理檢視,其提供資料庫加密金鑰的資訊及加密狀態Dynamic management view that provides information about a database's encryption keys and state of encryption

權限Permissions

如先前的資料表中所述,每項 TDE 功能和命令都有個別的權限需求。Each TDE feature and command has individual permission requirements as described in the tables shown earlier.

若要檢視與 TDE 有關的中繼資料,則需要具有憑證的 VIEW DEFINITION 權限。Viewing the metadata involved with TDE requires the VIEW DEFINITION permission on a certificate.

考量Considerations

當資料庫加密作業的重新加密掃描正在進行時,對資料庫的維護作業將會停用。While a re-encryption scan for a database encryption operation is in progress, maintenance operations to the database are disabled. 您可使用資料庫的單一使用者模式設定來執行維護作業。You can use the single-user mode setting for the database to do maintenance operations. 如需詳細資訊,請參閱 將資料庫設定為單一使用者模式For more information, see Set a Database to Single-user Mode.

使用 sys.dm_database_encryption_keys 動態管理檢視來尋找資料庫加密的狀態。Use the sys.dm_database_encryption_keys dynamic management view to find the state of database encryption. 如需詳細資訊,請參閱本文先前的<目錄檢視和動態管理檢視>一節。For more information, see the "Catalog views and dynamic management views" section earlier in this article.

在 TDE 中,資料庫內的所有檔案和檔案群組都會加密。In TDE, all files and filegroups in a database are encrypted. 如果資料庫中有任何檔案群組標示為 READ ONLY,則資料庫加密作業將會失敗。If any filegroup in a database is marked READ ONLY, the database encryption operation fails.

如果在資料庫鏡像或記錄傳送中使用資料庫,則兩個資料庫都會加密。If you use a database in database mirroring or log shipping, both databases are encrypted. 在兩者之間傳送記錄交易時會予以加密。The log transactions are encrypted when sent between them.

重要

設定資料庫加密時,即會加密全文檢索索引。Full-text indexes are encrypted when a database is set for encryption. 在 SQL Server 2008 前的 SQL Server 版本中建立的這類索引會由 SQL Server 2008 或更新版本匯入資料庫,並由 TDE 加密。Such indexes created in a SQL Server version earlier than SQL Server 2008 are imported into the database by SQL Server 2008 or later and are encrypted by TDE.

提示

若要監視資料庫的 TDE 狀態變更,請使用 SQL Server Audit 或 SQL Database 稽核。To monitor changes in the TDE status of a database, use SQL Server Audit or SQL Database auditing. SQL Server 將 TDE 追蹤記錄放在稽核動作群組 DATABASE_CHANGE_GROUP 下,此群組位於 動作群組和動作中。For SQL Server, TDE is tracked under the audit action group DATABASE_CHANGE_GROUP, which you can find in SQL Server Audit Action Groups and Actions.

限制Restrictions

在初始資料庫加密、金鑰變更或資料庫解密期間,不允許下列作業:The following operations are disallowed during initial database encryption, key change, or database decryption:

  • 從資料庫的檔案群組中卸除檔案Dropping a file from a filegroup in a database

  • 卸除資料庫Dropping a database

  • 讓資料庫離線Taking a database offline

  • 卸離資料庫Detaching a database

  • 將資料庫或檔案群組轉換成 READ ONLY 狀態Transitioning a database or filegroup into a READ ONLY state

執行 CREATE DATABASE ENCRYPTION KEY、ALTER DATABASE ENCRYPTION KEY、DROP DATABASE ENCRYPTION KEY 及 ALTER DATABASE...SET ENCRYPTION 陳述式時,不允許下列作業:The following operations are disallowed during the CREATE DATABASE ENCRYPTION KEY, ALTER DATABASE ENCRYPTION KEY, DROP DATABASE ENCRYPTION KEY, and ALTER DATABASE...SET ENCRYPTION statements:

  • 從資料庫的檔案群組中卸除檔案Dropping a file from a filegroup in a database

  • 卸除資料庫Dropping a database

  • 讓資料庫離線Taking a database offline

  • 卸離資料庫Detaching a database

  • 將資料庫或檔案群組轉換成 READ ONLY 狀態Transitioning a database or filegroup into a READ ONLY state

  • 使用 ALTER DATABASE 命令Using an ALTER DATABASE command

  • 啟動資料庫或資料庫檔案備份Starting a database or database-file backup

  • 啟動資料庫或資料庫檔案還原Starting a database or database-file restore

  • 建立快照集Creating a snapshot

下列作業或條件會讓 CREATE DATABASE ENCRYPTION KEY、ALTER DATABASE ENCRYPTION KEY、DROP DATABASE ENCRYPTION KEY 和 ALTER DATABASE...SET ENCRYPTION 陳述式無法執行:The following operations or conditions prevent the CREATE DATABASE ENCRYPTION KEY, ALTER DATABASE ENCRYPTION KEY, DROP DATABASE ENCRYPTION KEY, and ALTER DATABASE...SET ENCRYPTION statements:

  • 資料庫是唯讀的,或具有唯讀的檔案群組。A database is read-only or has read-only filegroups.

  • 正在執行 ALTER DATABASE 命令。An ALTER DATABASE command is running.

  • 正在執行資料備份。A data backup is running.

  • 資料庫為離線或還原狀態。A database is in an offline or restore condition.

  • 快照集正在進行中。A snapshot is in progress.

  • 正在執行資料庫維護工作。Database maintenance tasks are running.

建立資料庫檔案時,如果啟用 TDE 即無法使用立即檔案初始化功能。When database files are created, instant file initialization is unavailable when TDE is enabled.

為了使用非對稱金鑰來加密資料庫加密金鑰,此非對稱金鑰必須位在可延伸的金鑰管理提供者上。To encrypt a database encryption key with an asymmetric key, the asymmetric key must be on an extensible key-management provider.

TDE 掃描TDE scan

若要啟用資料庫上的 TDE,SQL ServerSQL Server 必須執行加密掃描。To enable TDE on a database, SQL ServerSQL Server must do an encryption scan. 掃描會將資料檔案的每一頁都讀入緩衝集區,然後將加密的頁面寫回磁片。The scan reads each page from the data files into the buffer pool and then writes the encrypted pages back out to disk.

為了讓您能更充分掌握加密掃描,SQL Server 2019 (15.x)SQL Server 2019 (15.x) 引進具有暫停和繼續語法的 TDE 掃描。To give you more control over the encryption scan, SQL Server 2019 (15.x)SQL Server 2019 (15.x) introduces TDE scan, which has a suspend and resume syntax. 您可在系統工作負載過重或業務忙碌時段暫停掃描,再於稍後時間繼續掃描。You can pause the scan while the workload on the system is heavy or during business-critical hours and then resume the scan later.

使用下列語法可暫停 TDE 加密掃描:Use the following syntax to pause the TDE encryption scan:

ALTER DATABASE <db_name> SET ENCRYPTION SUSPEND;

您也可以使用下列語法繼續 TDE 加密掃描:Similarly, use the following syntax to resume the TDE encryption scan:

ALTER DATABASE <db_name> SET ENCRYPTION RESUME;

encryption_scan_state 資料行已新增至 sys.dm_database_encryption_keys 動態管理檢視。The encryption_scan_state column has been added to the sys.dm_database_encryption_keys dynamic management view. 其顯示加密掃描目前的狀態。It shows the current state of the encryption scan. 另有稱為 encryption_scan_modify_date 的新資料行,其包含上次加密掃描狀態變更的日期和時間。There's also a new column called encryption_scan_modify_date, which contains the date and time of the last encryption-scan state change.

如果 SQL ServerSQL Server 執行個體在加密掃描暫停期間重新開機,則啟動時即會在錯誤記錄檔中記錄訊息。If the SQL ServerSQL Server instance restarts while its encryption scan is suspended, a message is logged in the error log on startup. 該訊息會指出現有的掃描已暫停。The message indicates that an existing scan has been paused.

TDE 和交易記錄TDE and transaction logs

讓資料庫使用 TDE 會移除目前虛擬交易記錄的其餘部分。Letting a database use TDE removes the remaining part of the current virtual transaction log. 移除會強制建立下一筆交易記錄。The removal forces creation of the next transaction log. 此行為保證在設定資料庫加密之後,記錄中不會留下任何純文字。This behavior guarantees that no clear text is left in the logs after the database is set for encryption.

若要尋找記錄檔加密的狀態,請參閱 sys.dm_database_encryption_keys 檢視中的 encryption_state 資料行,如以下範例所示:To find the status of log-file encryption, see the encryption_state column in the sys.dm_database_encryption_keys view, as in this example:

USE AdventureWorks2012;
GO
/* The value 3 represents an encrypted state
   on the database and transaction logs. */
SELECT *
FROM sys.dm_database_encryption_keys
WHERE encryption_state = 3;
GO

如需 SQL ServerSQL Server 記錄檔架構的詳細資訊,請參閱交易記錄 (SQL Server)For more information about the SQL ServerSQL Server log-file architecture, see The Transaction Log (SQL Server).

在資料庫加密金鑰變更前,所有寫入交易記錄的資料都是使用前一個資料庫加密金鑰來加密。Before a database encryption key changes, the previous database encryption key encrypts all data written to the transaction log.

如要變更兩次資料庫加密金鑰,則必須先執行記錄備份,才能再次變更資料庫加密金鑰。If you change a database encryption key twice, you must do a log backup before you can change the database encryption key again.

TDE 和 tempdb 系統資料庫TDE and the tempdb system database

如果 SQL ServerSQL Server 執行個體上有任一其他資料庫使用 TDE 進行加密,則會加密 tempdb 系統資料庫。The tempdb system database is encrypted if any other database on the SQL ServerSQL Server instance is encrypted by using TDE. 這加密可能會影響相同 SQL ServerSQL Server 執行個體上未加密的資料庫效能。This encryption might have a performance effect for unencrypted databases on the same SQL ServerSQL Server instance. 如需 tempdb 系統資料庫的詳細資訊,請參閱 tempdb 資料庫For more information about the tempdb system database, see tempdb Database.

TDE 和複寫TDE and replication

複寫不會自動以加密形式複寫啟用 TDE 的資料庫資料。Replication doesn't automatically replicate data from a TDE-enabled database in an encrypted form. 如果想要保護散發資料庫和訂閱者資料庫,請分別啟用 TDE。Separately enable TDE if you want to protect distribution and subscriber databases.

快照式複寫可將資料儲存在未加密的中繼檔案中,例如 BCP 檔案。Snapshot replication can store data in unencrypted intermediate files like BCP files. 異動複寫和合併式複寫的初始資料散發亦可。The initial data distribution for transactional and merge replication can too. 在這類複寫期間,您可啟用加密來保護通訊通道。During such replication, you can enable encryption to protect the communication channel.

如需詳細資訊,請參閱啟用資料庫引擎的加密連線 (SQL Server 組態管理員)For more information, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).

TDE 和 Always OnTDE and Always On

您可將加密的資料庫新增至 Always On 可用性群組You can add an encrypted database to an Always On availability group.

若要加密屬於可用性群組的資料庫,請先在所有次要複本上建立主要金鑰和憑證或非對稱金鑰 (EKM),再於主要複本上建立資料庫加密金鑰To encrypt databases that are part of an availability group, create the master key and certificates, or asymmetric key (EKM) on all secondary replicas before creating the database encryption key on the primary replica.

如果使用憑證保護資料庫加密金鑰 (DEK),請備份在主要複本上建立的憑證,然後先在所有次要複本上使用檔案建立憑證,再於主要複本上建立資料庫加密金鑰。If a certificate is used to protect the database encryption key (DEK), back up the certificate created on the primary replica, and then create the certificate from a file on all secondary replicas before creating the database encryption key on the primary replica.

TDE 和 FILESTREAM 資料TDE and FILESTREAM data

即使啟用 TDE 也不會加密 FILESTREAM 資料。FILESTREAM data isn't encrypted even when you enable TDE.

移除 TDERemove TDE

使用 ALTER DATABASE 陳述式移除資料庫的加密。Remove encryption from the database by using the ALTER DATABASE statement.

ALTER DATABASE <db_name> SET ENCRYPTION OFF;

若要檢視資料庫的狀態,請使用 sys.dm_database_encryption_keys 動態管理檢視。To view the state of the database, use the sys.dm_database_encryption_keys dynamic management view.

等候解密完成,然後使用 DROP DATABASE ENCRYPTION KEY 來移除資料庫加密金鑰。Wait for decryption to finish before removing the database encryption key by using DROP DATABASE ENCRYPTION KEY.

重要

將用於 TDE 的主要金鑰和憑證備份至安全位置。Back up the master key and certificate that are used for TDE to a safe location. 需有主要金鑰和憑證才能還原以 TDE 加密資料庫時所取得的備份。The master key and certificate are required to restore backups that were taken when the database was encrypted with TDE. 移除資料庫加密金鑰之後,請先進行記錄備份,再建立已解密資料庫的全新完整備份。After you remove the database encryption key, take a log backup followed by a fresh full backup of the decrypted database.

TDE 和緩衝集區延伸TDE and buffer pool extension

使用 TDE 加密資料庫時,不會加密與緩衝集區延伸模組 (BPE) 相關的檔案。When you encrypt a database using TDE, files related to buffer pool extension (BPE) aren't encrypted. 針對這些檔案,請在檔案系統層級使用 Bitlocker 或 EFS 等加密工具。For those files, use encryption tools like BitLocker or EFS at the file-system level.

TDE 和記憶體內部 OLTPTDE and In-Memory OLTP

您可對具有記憶體中 OLTP 物件的資料庫啟用 TDE。You can enable TDE on a database that has In-Memory OLTP objects. 在 SQL Server 2016 (13.x) 和 Azure SQL DatabaseAzure SQL Database 中,如果啟用 TDE,即會加密記憶體中 OLTP 記錄和資料。In SQL Server 2016 (13.x) and Azure SQL DatabaseAzure SQL Database, In-Memory OLTP log records and data are encrypted if you enable TDE. SQL Server 2014 (12.x)SQL Server 2014 (12.x) 中,如果啟用 TDE,即會加密記憶體中 OLTP 記錄檔的記錄,但不會加密 MEMORY_OPTIMIZED_DATA 檔案群組中的檔案。In SQL Server 2014 (12.x)SQL Server 2014 (12.x), In-Memory OLTP log records are encrypted if you enable TDE, but files in the MEMORY_OPTIMIZED_DATA filegroup are unencrypted.

將 TDE 保護的資料庫移至另一個 SQL ServerMove a TDE Protected Database to Another SQL Server
使用 EKM 在 SQL Server 上啟用 TDEEnable TDE on SQL Server Using EKM
使用 Azure Key Vault 的可延伸金鑰管理 (SQL Server)Extensible Key Management Using Azure Key Vault (SQL Server)

Azure SQL Database 的透明資料加密Transparent Data Encryption with Azure SQL Database
開始使用 Azure Synapse Analytics 中的透明資料加密 (TDE)Get started with Transparent Data Encryption (TDE) in Azure Synapse Analytics
SQL Server 加密SQL Server Encryption
SQL Server 和資料庫加密金鑰 (資料庫引擎)SQL Server and Database Encryption Keys (Database Engine)

另請參閱See also

SQL Server Database Engine 和 Azure SQL Database 的資訊安全中心Security Center for SQL Server Database Engine and Azure SQL Database
FILESTREAM (SQL Server)FILESTREAM (SQL Server)