Sign in Subscribe
Compare

Enabling Transparent Data Encryption (TDE) on AWS with the CLI

Andrios Robert

2 min read

That’s when we turned on Transparent Data Encryption (TDE) using the AWS CLI.

What is Transparent Data Encryption (TDE)?

Transparent Data Encryption encrypts data at rest, protecting it from unauthorized access. It secures database files, logs, and backups. The process is handled automatically by the database engine without changing how applications read or write data. On AWS, TDE is most often used with Amazon RDS for SQL Server and Oracle, or with custom database setups on EC2.

Why Use AWS CLI for TDE?

The AWS Management Console works fine, but the AWS CLI gives you speed, repeatability, and automation. You can enable TDE, configure keys, and manage encryption policies directly from your terminal. This is vital for pipelines, compliance, and scaling environments without manual clicks.

Setting Up TDE with AWS CLI

  1. Check Engine Support
    Ensure your database engine supports TDE. For RDS, only certain editions and versions allow TDE. Query with:
aws rds describe-db-engine-versions --engine sqlserver-se --query "DBEngineVersions[*].{Engine:Engine,Version:EngineVersion}"
  1. Create or Import a Customer Managed Key (CMK)
    Use AWS KMS to create or import a key for encryption:
aws kms create-key --description "TDE Master Key"
aws kms create-alias --alias-name alias/tde-master --target-key-id <key-id>
  1. Modify Database Instance for TDE
    Update the RDS instance to use the CMK:
aws rds modify-db-instance --db-instance-identifier mydbinstance --kms-key-id arn:aws:kms:region:account-id:key/key-id --apply-immediately
  1. Enable TDE in the Database
    For SQL Server:
USE master;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE MyTDECert;
ALTER DATABASE mydatabase SET ENCRYPTION ON;
  1. Verify Encryption State
    Run:
SELECT db_name(database_id) AS DatabaseName, encryption_state, percent_complete
FROM sys.dm_database_encryption_keys;

Key Security Practices

  • Rotate Keys Regularly: Use AWS KMS key rotation to limit exposure.
  • Restrict IAM Permissions: Control who can enable, disable, or modify TDE.
  • Test Restores: Always confirm you can restore encrypted backups without data loss.
  • Log and Monitor: Enable AWS CloudTrail and RDS Enhanced Monitoring to track all encryption-related changes.

Automating with AWS CLI and Scripts

Automation ensures consistency. Store commands in scripts, integrate them into CI/CD pipelines, and trigger TDE enablement as part of database provisioning. Use the AWS CLI’s JSON output for programmatic checks.

TDE and Compliance

TDE helps achieve compliance with regulations like PCI DSS, HIPAA, and GDPR by encrypting sensitive data transparently. On AWS, pairing TDE with KMS and proper IAM policies creates a strong security posture for cloud databases.

The shift to encrypted-by-default environments is no longer optional. The AWS CLI makes TDE activation fast, repeatable, and reliable. If you want to see end-to-end database encryption in the cloud come alive without weeks of setup, explore how hoop.dev can run it live in minutes.

Sign up for more like this.

Enter your email
Subscribe