I've submitted a support ticket to enable Transparent Data Encryption (TDE) on a Marketing Cloud instance. Since all of the encryption happens on the backend as opposed to Field Level Encryption (FLE) on the application layer, how do we really know if this is implemented?
Transparent Database Data Encryption, also called TDE, uses a feature of SQL Server to encrypt the entire database transparently. This feature stores the entire database in an encrypted format at rest at the file level. This feature will prevent someone with physical access to the database or a backup copy of the database from mounting it on another SQL server instance and accessing data. TDE involves minimal performance implications and no loss of functionality. TDE uses AES-256 encryption to generate the key.
Whereas with Field Level Encryption (FLE), the encryption is on the application layer and email address has to be encrypted, with TDE is it just a matter of trusting their word or would they provide the database encryption key (DEK)?
Best Answer
TDE is, as EazyE also mentions, a paid feature. You should reach out to your Account Executive to have it enabled, but it will come at a price.
Do observe, if you accept the cost, it might not be straightforward to enable. Is your environment on a shared DB, you will be assigned a new MID. Only if you are on a dedicated DB, TDE should be possible to apply to your existing MID.
And validating can only be done by Salesforce, so it is indeed a matter of trust. Since this is using SQL own encryption at file system level, it is not reflected in the application in any way.