Ensure that Transparent Data Encryption (also known as encryption at rest) is enabled for all SQL databases available within your Microsoft Azure cloud account for protecting your data at rest.
Transparent data encryption (TDE) helps protect Azure SQL databases against the threat of malicious activity by encrypting data at rest. It performs real-time encryption and decryption of the database, its associated backups and transaction log files stored at rest, without requiring changes to your database application. The feature encrypts the storage of an entire SQL database by using a symmetric key named the database encryption key. This database encryption key is protected by the TDE protector. The protector is either a service-managed certificate or a customer-managed key (i.e. Bring Your Own Key - BYOK) stored within Azure Key Vault service.
To determine if encryption at rest is enabled for all your Azure SQL databases, perform the following actions:
Remediation / Resolution
To enable Transparent Data Encryption (TDE) for your Microsoft Azure SQL databases (including their backups and transaction log files), perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Transparent Data Encryption for SQL Databases
Risk level: Medium