How to predict the performance impact of Microsoft SQL Server Transparent Data Encryption (TDE)

Article: 100044812
Last Published: 2019-02-07
Ratings: 5 2
Product(s): Enterprise Vault


Transparent Data Encryption (TDE) or Data Encryption at Rest is an option to encrypt all the data that is stored within a database’s physical files and also any backup files. TDE performs real-time encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module.

Microsoft states that a performance overhead of 2-4% is to be expected when reading and writing to disk encrypted with TDE. Although the data held on disk is encrypted, data held in memory (buffer pool) is unencrypted. SQL Server tries to keep data that is referenced repeatedly in the buffer pool. Therefore assuming the SQL instance is provisioned with enough memory, most read queries access the buffer pool and would not have to go to disk. Frequently used queries should not be affected performance-wise by TDE.

Based on Microsoft's overhead estimates and initial testing, configuring TDE will have minimum impact on the day to day functionality of Enterprise Vault.


Was this content helpful?