At-Rest encryption is one of the most frequently discussed topics on my conversations with Pure customers. A lot of them are concerned of how their database that uses Transparent Data Encryption (TDE) will perform on our FlashArrays, given the fact that we always perform deduplication, compression and also encryption of the data as it is being written to the array.
Let me make this abundantly clear: there will be no performance impact from using Pure as the storage platform for your TDE-encrypted databases. We have customers doing this today, and their databases are humming along just fine on FlashArrays.
With that said, given that we perform encryption at-rest of your data saved in our arrays by default, you might want to reconsider using TDE on your databases. You will get a performance bump from doing so , and we take care of encryption for you.
There is one thing you get with TDE that we don’t do automatically, though: we do not encrypt your backups as you copy them off our array to tape or whatever long-term archival storage medium you use. For that, you have the choice of leveraging SQL Server’s backup encryption capabilities on SQL Server 2014 and above, or any of the 3rd party backup solutions available (which can also help if you have an earlier version of SQL Server!). Some names that come to mind: Redgate’s SQL Backup, Idera’s SQL Safe, Dell’s SQL Litespeed. Plus, you always have the choice of rolling your own encryption with something like GPG.
Now what if you are using Log Shipping between two instances hosted on different FlashArrays on separate datacenters, for DR? When you use TDE, backups (including transaction log backups) are automatically encrypted, so what can be done in this case?
Well, Log Shipping doesn’t offer an option to encrypt the transaction log backups it takes using sqllogship.exe. That’s the bad news, but the good news is that you can roll your own scripts so that transaction log backups are encrypted. Alternatively, the 3rd party backup offerings mentioned before can do this for you just as well.
That way, you have both databases protected by encryption at the FlashArray, and encrypted backups that can be copied and shuttled around with peace of mind, all while having a much smaller storage footprint.
Thanks for reading,