Profile Applicability:

  • Level 1

Description:

Enable Transparent Data Encryption on every SQL server.All newly created databases in SQL Database are encrypted by default by using service-managed transparent data encryption. 

Rationale:

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Default Value:

By default, Data encryption is set to On.


Impact:

In terms of database security, encryption secures the actual data within the database and protects backups. That means data remains protected even in the event of a data breach.

Audit:

From Azure Console

  1. Go to SQL databases


  2. For each DB instance

  3. Click on Transparent data encryption

  4. Ensure that Data encryption is set to On

Using Azure Command Line Interface 2.0

Ensure the output of the below command is Enabled

az sql db tde show --resource-group <resourceGroup> --server <dbServerName> -
-database <dbName> --query status

Remediation:

From Azure Console

  1. Go to SQL databases

  2. For each DB instance

  3. Click on Transparent data encryption

  4. Set Data encryption to On

Using Azure Command Line Interface 2.0

Use the below command to enable Transparent data encryption for SQL DB instance

az sql db tde set --resource-group <resourceGroup> --server <dbServerName> -- database <dbName> --status Enabled

Backout Plan:

  1. Go to SQL databases

  2. For each DB instance

  3. Click on Transparent data encryption

  4. Ensure that Data encryption is set to Off

Using Azure Command-Line Interface 2.0

Use the below command to enable Transparent data encryption for SQL DB instance.

az sql db tde set --resource-group <resourceGroup> --server <dbServerName> -- database <dbName> --status Enabled

Note:

  • TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.

  • Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.

References:

  1. https://docs.microsoft.com/en-us/sql/relational- databases/security/encryption/transparent-data-encryption-with-azure-sql- database

  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-data-protection#dp-5-encrypt-sensitive-data-at-rest