Description:
Transparent Data Encryption (TDE) is a feature of Azure SQL that encrypts data at rest on the server. The TDE protector is the key that is used to encrypt the data. By default, the TDE protector is managed by Microsoft. However, you can also choose to use a customer-managed key (CMK). This gives you more control over the security of your data.
Rationale:
Using a CMK for TDE provides the following benefits:
- Increased security: You have full control over the key lifecycle, including creation, rotation, and deletion.
- Separation of duties: You can delegate key management to a different team, which can help to improve security.
- Compliance: Using a CMK can help you to meet compliance requirements, such as HIPAA and PCI DSS.
Impact:
Enabling TDE with a CMK will have the following impact:
- Your data will be encrypted at rest on the server.
- You will have full control over the key lifecycle.
- You can delegate key management to a different team.
- You may be able to meet compliance requirements.
Default Value:
By default, the TDE protector is managed by Microsoft. However, you can change this to a CMK by following the steps in this process.
Pre-requisites:
- You must have a customer-managed key in Azure Key Vault.
- You must have the appropriate permissions to manage the SQL server.
Remediation Steps:
To remediate this policy, you must enable TDE with a CMK. You can do this by following the steps in the Implementation Plan section below.
Test Plan:
To test that the policy has been implemented correctly, you can use the following steps:
- Connect to the SQL server using SQL Server Management Studio.
- Run the following T-SQL query:
SELECT * FROM sys.dm_database_encryption_keys
- The output of the query should show that the TDE protector is encrypted with a CMK.
Implementation Plan:
Azure Console:
- Go to the Azure portal.
- Click on the SQL Servers blade.
- Select the SQL server that you want to configure.
- Click on the Transparent data encryption tab.
- Select the Use your own key option.
- Select the customer-managed key that you want to use.
- Click on the Save button.
Azure CLI:
- Run the following command to get the list of customer-managed keys in your subscription:
az keyvault key list
- Select the customer-managed key that you want to use.
- Run the following command to enable TDE with the customer-managed key:
az sql server tde-key set --resource-group <resource-group> --server <server-name> --server-key-type {AzureKeyVault} --kid <key-id>
Backout Plan:
To back out the changes, you can follow the steps in the Remediation Steps section above, but instead of selecting the Use your own key option, select the Microsoft managed key option.
Note:
- This policy applies to all Azure SQL servers.
- You can also use a hardware security module (HSM) to store the customer-managed key.
- For more information, see the following documentation:
- Transparent Data Encryption with Customer-managed keys: https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview
- Azure Key Vault: https://docs.microsoft.com/en-us/azure/key-vault/
Reference:
- Transparent Data Encryption with Customer-managed keys: https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview
- Azure Key Vault: https://docs.microsoft.com/en-us/azure/key-vault/
Section 2:
Tags and Keywords:
- TDE
- customer-managed key
- Azure Key Vault
- encryption
- security
- compliance