This page describes transparent data encryption (TDE) in Cloud SQL for SQL Server.
Cloud SQL for SQL Server supports using TDE to encrypt data stored in your Cloud SQL for SQL Server instances. TDE automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.
TDE is used in scenarios where another layer of encryption is required in addition to Google's default offering of encryption for data at rest and Google's optional offering of Customer-managed encryption keys (CMEK). Specifically, you can use TDE to help you meet regulatory compliance requirements such as Payment Card Industry Data Security Standard (PCI DSS) or when importing or exporting encrypted backups.
How TDE works
TDE for Cloud SQL for SQL Server provides encryption key management by using a two-tier key architecture. A certificate, which is generated from the database primary key, is used to protect the data encryption keys. The database encryption key performs the encryption and decryption of data on the user database. Cloud SQL manages both the database primary key and the TDE certificate.
Each eligible Cloud SQL for SQL Server instance is provisioned with a unique TDE certificate that's valid for one year. Cloud SQL for SQL Server automatically rotates this certificate annually.
You can import external TDE certificates to the instance, but you must rotate these manually.
If the instance has replicas, then all TDE certificates, including those managed by Cloud SQL and those you imported manually, are automatically distributed across all replicas.
Instances with TDE enabled generate an internal database called
gcloud_cloudsqladmin. This database is reserved for internal Cloud SQL processes, isn't accessible to users, stores minimal data, and has negligible storage cost.
Limitations
Available only in Cloud SQL for SQL Server instances that have the database version SQL Server Enterprise.
If TDE is used for an instance with replicas and VPC Service Controls are enabled, then you must ensure the primary instance and all replicas are within the same service perimeter.
For more information, see Configure VPC Service Controls and Overview of VPC Service Controls.
You can't delete a TDE certificate that is managed by Cloud SQL.
You can't delete a TDE certificate while it is in use.
You can't directly import external TDE certificates to replica instances.
You can import up to ten TDE certificates per instance. If you need to import more, delete any unnecessary certificates using the
msdb.dbo.gcloudsql_drop_tde_user_certificatestored procedure.