Ensure that your Microsoft Azure SQL server's Transparent Data Encryption protector (i.e. TDE master key) is encrypted with BYOK (Bring Your Own Key) in order to protect your SQL databases with a key from your own Azure key vault.
Bring Your Own Key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access these keys and when. Azure Key Vault – a cloud-based external key management system developed by Microsoft Azure is the first key management service where the SQL Transparent Data Encryption has integrated support for Bring Your Own Key (BYOK). With BYOK, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the SQL server level and inherited by all databases created on that server.
To determine if BYOK is used for your Azure SQL server's Transparent Data Encryption (TDE), perform the following actions:
Remediation / Resolution
To configure Transparent Data Encryption (TDE) feature to encrypt your Azure SQL database servers to use your own customer-managed key (BYOK), perform the following actions:
- Azure Official Documentation
- Transparent Data Encryption (TDE)
- Transparent data encryption for SQL Database and Data Warehouse
- Azure SQL Transparent Data Encryption with customer-managed keys in Azure Key Vault: Bring Your Own Key support
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Use BYOK for Transparent Data Encryption
Risk level: Medium