We have a requirement to encrypt certain documents before they are stored in the database. We have MOSS SP2. Any thoughts on how to approach this? The database is SQL Server 2008. We are aware of the TDE in SQL Server 2008, but we are looking for a way to encrypt the documents in the database Thanks for any thoughts. Costas Costas Tsaklas - http://costas.cpstechgroup.com

We have a requirement to encrypt certain documents before they are stored in the database I am not so sure about what do you mean by “before”. My understanding is that the encryption should apply on document level, instead of encrypt the database as a whole as the TDE you mentioned. I think you know that user can set password for documents such as Excel workbook. For an integrated solution, you can evaluate AD RMS or SharePoint Integration with AD RMS, AD RMS-based document protection relies on encryption. Please read this for detail http://technet.microsoft.com/en-us/magazine/2009.04.insidesharepoint.aspx. Gu Yuming TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com

Thanks for the reply. Sorry If I didn't make myself clear. By saying "encrypting before", I mean that the documen should be encrypted before it is stored in the database. If we use TDE, and someone gains access to the SQL Server and query directly the database, won't they be able to view the document? That is what we try to protect ourselves from. Any thoughts on that? Thanks CostasCostas Tsaklas - http://costas.cpstechgroup.com

Please read what follows from http://technet.microsoft.com/en-us/magazine/2009.04.insidesharepoint.aspx : … For SharePoint security architects and administrators, there are at least three important facts to take away from the AD RMS implementation details. First, AD RMS protection is end-to-end, meaning protection remains with the document wherever the document goes (note that I am talking about AD RMS here, not about SharePoint integration with AD RMS). So you can place an AD RMS protected file on a Windows BitLocker drive or on an unencrypted drive, you can place it on a file share with Everyone read access, you can upload it to a SharePoint document library, you can send it to an unauthorized recipient outside your organization, but the content remains protected end-to-end, from the document owner on one end to the consuming user on the other end. … SharePoint Integration with AD RMS With these facts in mind, let's approach SharePoint integration with AD RMS. First and foremost, Microsoft states in all relevant product documentation pieces that AD RMS-enabled document libraries store content items unencrypted. So, there is no bulk encryption when you move items into an AD RMS-enabled document library. More importantly, because the items are unencrypted, there is no AD RMS protection and no security gain in the SharePoint environment. SharePoint administrators and users might believe that AD RMS end-to-end security exists, but SharePoint integration with AD RMS fully depends on SharePoint security. According to "Information Rights Management in Windows SharePoint Services Overview" in the WSS 3.0 SDK, Microsoft opted not to store the items in encrypted, rights-managed formats due to customer demand. … We can infer that if you want the file to be encrypted in database, you may choose AD RMS, but not AD RMS-enabled document library in SharePoint. However, I still think AD RMS enabled document library is better, since if the document is encrypted in SharePoint, you may have difficult in searching(I guess, I had not tested and had not did research on it). Gu Yuming TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com