Ensure that your Microsoft Azure SQL server's Transparent Data Encryption protector (i.e. TDE master key) is encrypted with BYOK (Bring Your Own Key), also known as Customer-Managed Key (CMK), in order to protect your SQL databases with a key from your own Azure key vault.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Customer-Managed Key (CMK) support for Transparent Data Encryption (TDE) allows user access control over TDE encryption keys, i.e. decide who can access the TDE keys and when. Azure Key Vault – a cloud-based external key management system developed by Microsoft Azure, is the first key management service where the SQL Transparent Data Encryption has integrated support for Customer-Managed Keys (CMKs). With CMK-based encryption, the database encryption key is protected by an asymmetric key stored in your Azure key vault. The asymmetric key is configured at the SQL server level and inherited by all databases created on the server.
Audit
To determine the type of the encryption key used for Transparent Data Encryption (TDE) protector, perform the following actions:
Remediation / Resolution
To configure Transparent Data Encryption (TDE) to encrypt your Microsoft Azure SQL database servers with your own Customer-Managed Key (CMK), perform the following actions:
References
- Azure Official Documentation
- Transparent data encryption (TDE)
- Transparent data encryption for SQL Database, SQL Managed Instance, and Azure Synapse Analytics
- Azure SQL transparent data encryption with customer-managed key
- Azure PowerShell Documentation
- az sql
- az sql server list
- az sql server tde-key show
- az sql server tde-key set
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Use BYOK for Transparent Data Encryption
Risk Level: Medium