Stay organized with collections
Save and categorize content based on your preferences.
MySQL | PostgreSQL | SQL Server
This page describes transparent data encryption (TDE) in Cloud SQL for SQL Server.
Cloud SQL for SQL Server supports using TDE to encrypt data stored in your
Cloud SQL for SQL Server instances. TDE automatically encrypts data
before it is written to storage, and automatically decrypts data when the data
is read from storage.
TDE is used in scenarios where another layer of encryption is
required in addition to Google's default offering of encryption for data at rest
and Google's optional offering of Customer-managed encryption keys (CMEK).
Specifically, you can use TDE to help you meet regulatory compliance
requirements such as Payment Card Industry Data Security Standard (PCI DSS)
or when importing or exporting encrypted backups.
How TDE works
TDE for Cloud SQL for SQL Server provides encryption key management by
using a two-tier key architecture. A certificate, which is generated from the
database primary key, is used to protect the data encryption keys. The database
encryption key performs the encryption and decryption of data on the user
database. Cloud SQL manages both the database primary key and the
TDE certificate.
Each eligible Cloud SQL for SQL Server instance is provisioned with a unique
TDE certificate that's valid for one year. Cloud SQL for SQL Server
automatically rotates this certificate annually.
You can import external TDE certificates to the instance, but you
must rotate these manually.
If the instance has replicas, then all TDE certificates,
including those managed by Cloud SQL and those you imported manually,
are automatically distributed across all replicas.
Instances with TDE enabled generate an internal database called
gcloud_cloudsqladmin. This database is reserved for internal
Cloud SQL processes, isn't accessible to users, stores minimal data,
and has negligible storage cost.
Cloud SQL for SQL Server uses the gcloud_tde_system_ naming prefix when
provisioning a TDE certificate.
Any imported certificates use the
gcloud_tde_user_CERT_NAME_UUID
naming prefix.
After you either import or rotate a certificate on an instance that
has both TDE and point-in-time recovery (PITR) enabled, the instance creates a
new backup. This helps reduce the risk of certificate loss if and when you want
to restore an encrypted database to a point in time before the certificate was
accessible to the instance.
Limitations
Available only in Cloud SQL for SQL Server instances with the following database
versions:
SQL Server Enterprise
SQL Server 2019 or later (Standard edition)
If TDE is used for an instance with replicas and
VPC Service Controls are enabled, then you must ensure the primary instance
and all replicas are within the same service perimeter.
You can't delete a TDE certificate that is managed by
Cloud SQL.
You can't delete a TDE certificate while it is in use.
You can't directly import external TDE certificates to replica
instances.
You can import up to ten TDE certificates per instance. If you
need to import more, delete any unnecessary certificates using the
msdb.dbo.gcloudsql_drop_tde_user_certificate stored procedure.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# About transparent data encryption (TDE)\n\n\u003cbr /\u003e\n\nMySQL \\| PostgreSQL \\| SQL Server\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes transparent data encryption (TDE) in Cloud SQL for SQL Server.\n\nCloud SQL for SQL Server supports using TDE to encrypt data stored in your\nCloud SQL for SQL Server instances. TDE automatically encrypts data\nbefore it is written to storage, and automatically decrypts data when the data\nis read from storage.\n\nTDE is used in scenarios where another layer of encryption is\nrequired in addition to Google's default offering of [encryption for data at rest](/docs/security/encryption/default-encryption)\nand Google's optional offering of [Customer-managed encryption keys (CMEK)](/sql/docs/sqlserver/cmek).\nSpecifically, you can use TDE to help you meet regulatory compliance\nrequirements such as Payment Card Industry Data Security Standard (PCI DSS)\nor when importing or exporting encrypted backups.\n\nHow TDE works\n-------------\n\nTDE for Cloud SQL for SQL Server provides encryption key management by\nusing a two-tier key architecture. A certificate, which is generated from the\ndatabase primary key, is used to protect the data encryption keys. The database\nencryption key performs the encryption and decryption of data on the user\ndatabase. Cloud SQL manages both the database primary key and the\nTDE certificate.\n\n- Each eligible Cloud SQL for SQL Server instance is provisioned with a unique\n TDE certificate that's valid for one year. Cloud SQL for SQL Server\n automatically rotates this certificate annually.\n\n- You can import external TDE certificates to the instance, but you\n must rotate these manually.\n\n- If the instance has replicas, then all TDE certificates,\n including those managed by Cloud SQL and those you imported manually,\n are automatically distributed across all replicas.\n\n- Instances with TDE enabled generate an internal database called\n `gcloud_cloudsqladmin`. This database is reserved for internal\n Cloud SQL processes, isn't accessible to users, stores minimal data,\n and has negligible storage cost.\n\n- Cloud SQL for SQL Server uses the `gcloud_tde_system_` naming prefix when\n provisioning a TDE certificate.\n\n- Any imported certificates use the\n `gcloud_tde_user_`\u003cvar translate=\"no\"\u003eCERT_NAME\u003c/var\u003e`_`\u003cvar translate=\"no\"\u003eUUID\u003c/var\u003e\n naming prefix.\n\n- After you either import or rotate a certificate on an instance that\n has both TDE and point-in-time recovery (PITR) enabled, the instance creates a\n new backup. This helps reduce the risk of certificate loss if and when you want\n to restore an encrypted database to a point in time before the certificate was\n accessible to the instance.\n\nLimitations\n-----------\n\n- Available only in Cloud SQL for SQL Server instances with the following database\n [versions](/sql/docs/sqlserver/editions-intro#edition-features):\n\n - SQL Server Enterprise\n - SQL Server 2019 or later (Standard edition)\n- If TDE is used for an instance with replicas and\n VPC Service Controls are enabled, then you must ensure the primary instance\n and all replicas are within the same service perimeter.\n\n For more information, see [Configure VPC Service Controls](/sql/docs/sqlserver/admin-api/configure-service-controls)\n and [Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n- You can't delete a TDE certificate that is managed by\n Cloud SQL.\n\n- You can't delete a TDE certificate while it is in use.\n\n- You can't directly import external TDE certificates to replica\n instances.\n\n- You can import up to ten TDE certificates per instance. If you\n need to import more, delete any unnecessary certificates using the\n `msdb.dbo.gcloudsql_drop_tde_user_certificate` stored procedure.\n\nWhat's next\n-----------\n\n- [Use TDE](/sql/docs/sqlserver/use-tde)"]]
