It seems when SQL TDE is implemented certificates are used to protect the keys used to encrypt the data. What would be the benefits of using a CA signed certificate in this scenario over a self-signed certificate?
Asked
Active
Viewed 305 times
0
-
If you do a quick search, you'll find plenty of answered questions (including some that reference SQL TDE) [https://security.stackexchange.com/questions/38782/ssl-tls-distinction-between-self-signed-cert-and-self-signed-ca-and-other-que?rq=1, https://security.stackexchange.com/questions/68189/does-a-self-signed-certificate-offer-more-protection-than-a-public-key?rq=1, https://security.stackexchange.com/questions/130012/can-we-provide-our-external-certificates-to-a-customers-sql-server-for-ssl?rq=1] that address the benefits of using signed certs vs self-signed. Have a check at those. – Pedro Jun 23 '20 at 09:10
-
@Pedro I don't think any of those links specifically answer my question, the one around SQL seemed more around certificates for TLS rather than what was stated in my question. I don't see the benefits of using CA Signed in this specific scenario as my understanding is we don't need to provide assurance of any identity as the certificate is just used to encrypt encryption keys. – user1876202 Jun 23 '20 at 10:32
-
I don't know the technology, so I can't pinpoint details that support or disprove what you are saying. What I know is that PKI exists for a reason. If connecting peers don't or have no way to validate certificates, then that's not something you can address. But it's obvious a trick is being missed in the implementation. – Pedro Jun 23 '20 at 10:49