[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# About transparent data encryption (TDE)\n\n\u003cbr /\u003e\n\nMySQL \\| PostgreSQL \\| SQL Server\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes transparent data encryption (TDE) in Cloud SQL for SQL Server.\n\nCloud SQL for SQL Server supports using TDE to encrypt data stored in your\nCloud SQL for SQL Server instances. TDE automatically encrypts data\nbefore it is written to storage, and automatically decrypts data when the data\nis read from storage.\n\nTDE is used in scenarios where another layer of encryption is\nrequired in addition to Google's default offering of [encryption for data at rest](/docs/security/encryption/default-encryption)\nand Google's optional offering of [Customer-managed encryption keys (CMEK)](/sql/docs/sqlserver/cmek).\nSpecifically, you can use TDE to help you meet regulatory compliance\nrequirements such as Payment Card Industry Data Security Standard (PCI DSS)\nor when importing or exporting encrypted backups.\n\nHow TDE works\n-------------\n\nTDE for Cloud SQL for SQL Server provides encryption key management by\nusing a two-tier key architecture. A certificate, which is generated from the\ndatabase primary key, is used to protect the data encryption keys. The database\nencryption key performs the encryption and decryption of data on the user\ndatabase. Cloud SQL manages both the database primary key and the\nTDE certificate.\n\n- Each eligible Cloud SQL for SQL Server instance is provisioned with a unique\n TDE certificate that's valid for one year. Cloud SQL for SQL Server\n automatically rotates this certificate annually.\n\n- You can import external TDE certificates to the instance, but you\n must rotate these manually.\n\n- If the instance has replicas, then all TDE certificates,\n including those managed by Cloud SQL and those you imported manually,\n are automatically distributed across all replicas.\n\n- Instances with TDE enabled generate an internal database called\n `gcloud_cloudsqladmin`. This database is reserved for internal\n Cloud SQL processes, isn't accessible to users, stores minimal data,\n and has negligible storage cost.\n\n- Cloud SQL for SQL Server uses the `gcloud_tde_system_` naming prefix when\n provisioning a TDE certificate.\n\n- Any imported certificates use the\n `gcloud_tde_user_`\u003cvar translate=\"no\"\u003eCERT_NAME\u003c/var\u003e`_`\u003cvar translate=\"no\"\u003eUUID\u003c/var\u003e\n naming prefix.\n\n- After you either import or rotate a certificate on an instance that\n has both TDE and point-in-time recovery (PITR) enabled, the instance creates a\n new backup. This helps reduce the risk of certificate loss if and when you want\n to restore an encrypted database to a point in time before the certificate was\n accessible to the instance.\n\nLimitations\n-----------\n\n- Available only in Cloud SQL for SQL Server instances with the following database\n [versions](/sql/docs/sqlserver/editions-intro#edition-features):\n\n - SQL Server Enterprise\n - SQL Server 2019 or later (Standard edition)\n- If TDE is used for an instance with replicas and\n VPC Service Controls are enabled, then you must ensure the primary instance\n and all replicas are within the same service perimeter.\n\n For more information, see [Configure VPC Service Controls](/sql/docs/sqlserver/admin-api/configure-service-controls)\n and [Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n- You can't delete a TDE certificate that is managed by\n Cloud SQL.\n\n- You can't delete a TDE certificate while it is in use.\n\n- You can't directly import external TDE certificates to replica\n instances.\n\n- You can import up to ten TDE certificates per instance. If you\n need to import more, delete any unnecessary certificates using the\n `msdb.dbo.gcloudsql_drop_tde_user_certificate` stored procedure.\n\nWhat's next\n-----------\n\n- [Use TDE](/sql/docs/sqlserver/use-tde)"]]