Database security recommendations

Current version: 9.1

This topic provides recommendations to protect your data at rest and your data in motion.

  • Use Transport Layer Security (TLS) to encrypt the connection for data transmission between an instance of SQL Server and a client application (data in motion or data in transit).

  • Use Transparent Data Encryption (TDE) to encrypt physical files, such as data and log files (data at rest). TDE is configured on the SQL Server side so there are no limits or specific Sitecore configuration settings to enable it.

    For newly deployed Azure SQL databases, TDE is enabled by default. For on-prem deployments, TDE is not enabled by default.


    TDE does not encrypt the communication channel or the data itself. This means that anyone with access to the database is still able to read sensitive data.

  • Use Always Encrypted to encrypt sensitive data at rest.

    The Always Encrypted feature provides a separation between those who own the data and can process it, and those who manage the data but must not have access to sensitive information. Only the client application can decrypt and use sensitive data.

    The Always Encrypted feature configures encryption for individual database columns with sensitive data. This means that not all columns are necessarily encrypted.


    Not all Sitecore databases support the Always Encrypted configuration. Sitecore databases that do support it include the xDB Collection database and the Sitecore Cortex Processing database.

Do you have some feedback for us?

If you have suggestions for improving this article,