http://sqlblog.com/search/SearchResults.aspx?o=DateDescending&tag=SQL+Server,encryption,SQL+2008,filestream&orTags=0Search results matching tags 'SQL Server', 'encryption', 'SQL 2008', and 'filestream'en-USCommunityServer 2.1 SP2 (Build: 61129.1)http://sqlblog.com/blogs/michael_coles/archive/2010/03/08/t-sql-tuesday-004-why-doesn-t-tde-encrypt-my-filestream-data.aspxTue, 09 Mar 2010 02:42:00 GMT21093a07-8b3d-42db-8cbf-3350fcbf5496:22972Mike C<P>This post is my entry for <A title="Adam Machanic's Blog" href="http://sqlblog.com/blogs/adam_machanic/default.aspx" target=_blank>Adam Machanic's</A> <A title="T-SQL Tuesday #004" href="http://www.straightpathsql.com/archives/2010/03/invitation-for-t-sql-tuesday-004-io/" target=_blank>T-SQL Tuesday #004</A>, hosted this time by <A title="Mike Walsh" href="http://www.straightpathsql.com/aboutus/" target=_blank>Mike Walsh</A>. I was at the RSA Conference in San Francisco last week discussing database encryption options in SQL Server 2008 and one question seemed to keep coming up. The question concerns <A title="FILESTREAM Overview" href="http://msdn.microsoft.com/en-us/library/bb933993.aspx" target=_blank>FILESTREAM</A> and <A title="Understanding TDE" href="http://msdn.microsoft.com/en-us/library/bb934049.aspx">Transparent Data Encryption</A> (TDE), but first a little background:</P> <P>FILESTREAM is a new&nbsp;SQL Server 2008 feature. When you apply the FILESTREAM attribute to a <A title=varbinary href="http://msdn.microsoft.com/en-us/library/ms188362.aspx">varbinary(max)</A> column SQL Server stores your BLOB data in a "FILESTREAM data container" (an NTFS directory structure) instead of directly in the database (the MDF and NDF files that normally hold all your data). The advantages of FILESTREAM are speed (streaming NTFS&nbsp;access for large files) and the ability to store BLOB data larger than 2.1 GB.</P> <P>One of the downsides of FILESTREAM concerns another new feature, TDE. TDE&nbsp;transparently encrypts your database, adding a layer of protection against physical theft of your database files and storage devices. But TDE does not encrypt FILESTREAM data. The question I kept getting was "why?"&nbsp; The answer is fairly simple -- but a picture's worth a thousand words:</P> <P><IMG style="WIDTH:441px;HEIGHT:240px;" title=TDE alt=TDE src="http://e60ybw.bay.livefilestore.com/y1pQnPEkhA79JnqanROmfWvN1V2efDqOZYfYWtlVzuhCvibk6fuQMvWa1mqL3pRzsYHUAW6CRFYEtgAdJojBTYaJlzNqpYYX20N/iFTS_TDE.png" width=441 height=240></P> <P>As you can see in the picture,&nbsp;TDE sits midway between your physical storage and SQL Server's IO buffers. This ensures that everything that passes through the IO buffers gets encrypted on its way to persistent storage and decrypted on its way back out of storage. This is also&nbsp;why it's "transparent" to your applications, developers and users. SQL Server reads and writes data through the IO buffers in 8 KB pages. FILESTREAM achieves much of its performance enhancement for BLOB data by simply bypassing the IO buffers. But since TDE acts only on data passing through the IO buffers, it misses FILESTREAM BLOB data completely.</P> <P>Fortunately there are plenty of other options for encrypting your FILESTREAM data -- you can&nbsp;use <A title=EFS href="http://msdn.microsoft.com/en-us/library/ms995356.aspx">Windows Encrypting File System</A> (EFS), <A title=BitLocker href="http://support.microsoft.com/kb/933246">BitLocker</A>&nbsp;or third-party file/folder/volume encrypting software, for instance.</P>