We have been asked by our IT department to enable TDE for the PI-AF databases and I am wondering if this is supported and has been tested. We have a few instances of AF 2.4, but mostly AF 2.6.
KB01092 talks about data encryption at rest: https://techsupport.osisoft.com/Troubleshooting/KB/KB01092/
Excerpt about encrypting PI System at rest:
Encrypting PI System data at rest
The PI System is compatible with whole disk encryption solutions such as BitLocker, Windows EFS, or as provided by SAN storage mechanisms.
The KB article primarily discusses encryption for data in transit and the excerpt you mentioned only pertains to the data archive from a file perspective. I am interested in the SQL server database for PI-AF(typically called something like PIFD) and if TDE is supported or has been tested.
As far as I know, we have not perform any tests on TDE encrypted SQL backend. Will double-check. We generally have recommendations for components that are directly impacting the PI System, hence why we support and recommend using SSL/TLS to encrypt the data between the SQL Server and application (AF). You can find some more general information in the KB that Akhilesh linked above.
You may also find the following resources helpful:
Hope this helps,
Thank you for checking if there has been any testing done with TDE for the PI-AF database on SQL server. The other links you sent will be useful too.
It has not been tested, so we cannot support it officially. That does not mean that it will not work. We would strongly recommend first doing your own internal test on a non-production environment. As Seb mentioned below, it should not cause a problem, but I would not suggest rolling this out on production before performing thorough testing.
Transparent Data Encryption is performed by the SQL Server when writing to disk (and decrypted when reading). This has nothing to do with the application, in this case the PI AF Application Service, reading and writing to the SQL database. According to Microsoft documentation there are no changes required at the application level (see Gabriel Michaud-Verreault third link). We have not tested the PI AF Application Service against a SQL Server using TDE for PIFD, but this should work since the encryption is occurring between SQL and disk and not AF and SQL (this is handled by SSL/TLS).
That being said, I would expect some performance drawbacks. There are a few articles out there with a list of pros and cons. I couldn't find any official ones from Microsoft, but these two were interesting:
Pros and Cons of Transparent Data Encryption (TDE) Part 1 of 3 - SQLMatters
The dirty little secret of Transparent Data Encryption (SQL Server 2012) | New Horizons
Another drawback is that if you are running into an issue with your AF Servers and you need to share your PIFD with OSIsoft, this won't be possible with TDE unless the certificate is also shared. Some companies have a policy to never allow a sharing of the back end AF SQL database (PIFD) with us, and I'm not sure if your company has this policy, but I just wanted to point that out in case this comes up in the future.
I couldn't find any calls in our call database about customers using TDE and what their experience was.
I would recommend upgrading your AF Server. I know this is unrelated, but AF 2.4 and 2.6 is very old. There has been numerous changes notably a change in the security model used by AF in AF 2.7.
Hope this helps,
Retrieving data ...