Skip to content

Enable Transparent Data Encryption (TDE)

Description

Transparent Data Encryption (TDE) provides encryption at rest. If the underlying storage for the database is compromised, and TDE is enabled, an attacker will not be able to obtain the data.

Rationale

While many cloud providers do encrypt data storage at rest within their own systems, a best practice is to encrypt the data to a key which you control. This is often required by some compliance standards.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const {isEmptyArray} = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if all custom dbs are encrypted
 */
function validate(databaseSettings) {
    const unencryptableDbs = ['master', 'model', 'msdb', 'rdsadmin']
    const success =
            isEmptyArray(databaseSettings.databases) ||
            databaseSettings.databases.every(
                db =>
                   unencryptableDbs.includes(db.sqlserver.name) ||
                   db.sqlserver.isEncrypted)

    return {
        success
    }
}

validate(databaseSettings)