Why Does My SQL Server Connection Require Access to TDE Keys?
Question
Why does my SQL Server connection require access to Transparent Data Encryption (TDE) keys when the keys are already configured in SQL Server?
Environment
- Connector: SQL Server
- Encryption: Transparent Data Encryption (TDE)
Answer
Fivetran requires access to the TDE protection chain because we read encrypted transaction log and backup data directly for capture. We don't rely on SQL Server to decrypt the data and return plaintext rows.
To decrypt this data, we must be able to unwrap the Database Encryption Key (DEK). We require access to the TDE certificate and private key, or, for Azure Key Management with Extensible Key Management (EKM), the Azure Key Vault key details and credentials. For more information, see our SQL Server Setup Guide.