| title | sp_pdw_database_encryption (Azure Synapse Analytics) | |
|---|---|---|
| description | sp_pdw_database_encryption enables transparent data encryption for an Azure Synapse Analytics appliance. | |
| author | WilliamDAssafMSFT | |
| ms.author | wiassaf | |
| ms.reviewer | randolphwest | |
| ms.date | 06/23/2025 | |
| ms.service | sql | |
| ms.topic | reference | |
| dev_langs |
|
|
| monikerRange | >=aps-pdw-2016 || =azure-sqldw-latest |
[!INCLUDE applies-to-version/asa-pdw]
Use sp_pdw_database_encryption to enable transparent data encryption (TDE) for an [!INCLUDE ssazuresynapse-md] appliance. When sp_pdw_database_encryption set to 1, use the ALTER DATABASE statement to encrypt a database by using TDE.
Syntax for Azure Synapse Analytics and Analytics Platform System (PDW).
sp_pdw_database_encryption [ [ @enabled = ] enabled ]
[ ; ]
Note
[!INCLUDE synapse-analytics-od-unsupported-syntax]
Determines whether transparent data encryption is enabled. enabled is int, and can be one of the following values:
0= Disabled1= Enabled
If you execute sp_pdw_database_encryption without parameters, it returns the current state of TDE on the appliance as a scalar result set: 0 for disabled, or 1 for enabled.
0 (success) or 1 (failure).
When the TDE is enabled using sp_pdw_database_encryption, the tempdb database is dropped, recreated, and encrypted. For that reason, the TDE can't be enabled on an appliance while there are other active sessions using tempdb. Enabling or disabling TDE on an appliance is an action that changes the state of the appliance. In most cases, this process is expected to be performed once in the appliance lifetime, and should be executed when there's no traffic on the appliance.
Requires membership in the sysadmin fixed database role, or CONTROL SERVER permission.
The following example enables TDE on the appliance.
EXECUTE sys.sp_pdw_database_encryption 1;