When the TDE option is added to an option group, Amazon RDS generates a certificate that's used in the encryption process. You can then use the certificate to run SQL statements that encrypt data in a database on the DB instance.
The following example uses the RDS-created certificate called RDSTDECertificateName to encrypt a database called
myDatabase.
---------- Turning on TDE ------------- -- Find an RDS TDE certificate to use USE [master] GO SELECT name FROM sys.certificates WHERE name LIKE 'RDSTDECertificate%' GO USE [myDatabase] GO -- Create a database encryption key (DEK) using one of the certificates from the previous step CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE [RDSTDECertificateName] GO -- Turn on encryption for the database ALTER DATABASE [myDatabase] SET ENCRYPTION ON GO -- Verify that the database is encrypted USE [master] GO SELECT name FROM sys.databases WHERE is_encrypted = 1 GO SELECT db_name(database_id) as DatabaseName, * FROM sys.dm_database_encryption_keys GO
The time that it takes to encrypt a SQL Server database using TDE depends on several factors. These include the size of the DB instance, whether the instance uses Provisioned IOPS storage, the amount of data, and other factors.
