Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
4.3.4. Transparent Data Encryption (TDE) and Always Encrypted
š” First Principle: Encryption protects data at rest. TDE encrypts the entire database transparently; Always Encrypted encrypts specific columns with keys never exposed to the database server.
Encryption Comparison
| Feature | TDE | Always Encrypted |
|---|---|---|
| Scope | Entire database | Specific columns |
| Key Location | Database server | Client only |
| Protected From | Storage theft | Storage theft + DBA access |
| Query Support | Full | Limited (deterministic only) |
| Use Case | General encryption | Highly sensitive columns |
Scenario: You need to ensure certain columns cannot be decrypted by database administrators.
Answer: Use Always Encrypted. TDE protects data at rest but DBAs with access to the database can read decrypted data. Always Encrypted keeps keys on the client sideāthe database server never sees plaintext.
ā ļø Exam Trap: Thinking TDE protects against DBAs. TDE encrypts data files on disk but decryption is transparent to authorized database users. For protection against privileged database access, use Always Encrypted.
Always Encrypted Supported Operations
- Supported: Point lookups, equality comparisons (deterministic encryption)
- Not Supported: Range queries, LIKE operations, copying between columns
Written byAlvin Varughese
Founderā¢15 professional certifications