This page describes how to encrypt the data-files and the communication of the SQL Server.
Data-File encryption
As described in https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15 the Microsoft SQL Server supports "Transparent Data Encryption" or TDE to encrypt all data at rest - i.e. data-files and log-files. This is done on a per page base where the data is encrypted before writing it to the disk and decrypted when loading the page into memory. This can be setup at database creation time or for an existing database aswell. The procedure is as follows:
Create a master key.
Create or obtain a certificate protected by the master key.
Create a database encryption key and protect it by using the certificate.
Set the database to use encryption.
The following example shows encryption of the yuuvisRAD database using a certificate named MyServerCert that's installed on the server.
USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>';
GO
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate';
GO
USE yuuvisRAD;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;
GO
ALTER DATABASE yuuvisRAD SET ENCRYPTION ON;
GO
To enable TDE on a database, SQL Server must do an encryption scan. The scan reads each page from the data files into the buffer pool and then writes the encrypted pages back out to disk.
Starting with SQL Server 2019 this can be paused with ALTER DATABASE <db_name> SET ENCRYPTION SUSPEND; and resumed with ALTER DATABASE <db_name> SET ENCRYPTION RESUME;
Caution
Backup files for databases that have TDE enabled are also encrypted with the database encryption key. As a result, when you restore these backups, the certificate that protects the database encryption key must be available. Therefore, in addition to backing up the database, make sure to maintain backups of the server certificates. Data loss results if the certificates are no longer available.
For more information, see SQL Server Certificates and Asymmetric Keys.