Is the BACPAC from a TDE encrypted DB also encrypted?
https://dba.stackexchange.com/questions/285925
-
16-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
If you create a BACPAC of an encrypted database, will the data in the BACPAC be encrypted?
We're currently using on-prem SQL Server and use TDE to encrypt our customer databases. We also have a requirement to maintain customer directed backups for up to 10 years. A backup of an encrypted DB and retention is not an issue. We're looking to migrate our platform to Azure SQL DB and thus will lose the ability to do customer directed backups. I'm exploring the use of BACPAC to meet our needs. If you create a BACPAC of an encrypted database, will the data in the BACPAC be encrypted?
Solution
No, the BACPAC is not encrypted. BACPAC is an export of schema and data.
TDE means that decryption is done when SQL Server reads the data pages from disk. I.e., the client tool that generates the BACPAC (sqlpackage.exe, for example) asks SQL Server to read the data, and that tool will never see the encrypted data.
So you'd have to post-encrypt the BACPAC file by some tool, if you have such a requirement.
