Profile Applicability:
Level 1
Description:
Enable Transparent Data Encryption on every SQL server.All newly created databases in SQL Database are encrypted by default by using service-managed transparent data encryption.
Rationale:
Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Default Value:
By default, Data encryption is set to On.
Impact:
In terms of database security, encryption secures the actual data within the database and protects backups. That means data remains protected even in the event of a data breach.
Audit:
From Azure Console
Go to SQL databases
For each DB instance
Click on Transparent data encryption
Ensure that Data encryption is set to On
Using Azure Command Line Interface 2.0
Ensure the output of the below command is Enabled
az sql db tde show --resource-group <resourceGroup> --server <dbServerName> - -database <dbName> --query status
Remediation:
From Azure Console
Go to SQL databases
For each DB instance
Click on Transparent data encryption
Set Data encryption to On
Using Azure Command Line Interface 2.0
Use the below command to enable Transparent data encryption for SQL DB instance
az sql db tde set --resource-group <resourceGroup> --server <dbServerName> -- database <dbName> --status Enabled
Backout Plan:
Go to SQL databases
For each DB instance
Click on Transparent data encryption
Ensure that Data encryption is set to Off
Using Azure Command-Line Interface 2.0
Use the below command to enable Transparent data encryption for SQL DB instance.
az sql db tde set --resource-group <resourceGroup> --server <dbServerName> -- database <dbName> --status Enabled
Note:
TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.
Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.