Profile Applicability:
Level 1
Description:
Enabling Infrastructure double encryption adds an additional layer of encryption to PostgreSQL servers, securing data before it is even accessed. This includes encrypting data at both the hardware and storage levels, ensuring the utmost data protection, including backups.
Rationale:
Double encryption ensures that data is encrypted at multiple levels, providing an additional layer of security for sensitive data. Even if one layer of encryption is compromised, the second layer ensures continued protection. This is particularly valuable for highly sensitive data, improving resilience against data interception.
Impact:
Pros:
Provides an additional layer of encryption for sensitive data.
Protects data both in transit and at rest.
Helps meet high-security compliance standards.
Cons:
May introduce performance overhead due to the additional encryption layer.
Requires careful management of encryption keys to prevent data loss in case of key mismanagement.
Default Value:
By default, Infrastructure double encryption is disabled.
Pre-requisites:
Ensure that the PostgreSQL Single Server is used, as this feature is not available for Flexible Servers. Also, ensure that the required encryption keys are available and properly managed.
Test Plan:
Using Azure Portal:
Log in to the Azure Portal: https://portal.azure.com.
Navigate to Azure Database for PostgreSQL servers.
Select the relevant database instance.
Under Security, click Data encryption.
Verify that Infrastructure encryption enabled is displayed and is checked.
Using Azure CLI:
1. Run the following command to check the infrastructure encryption status:
az postgres server configuration show --name <server-name> --resource-group <resource-group-name> --query "properties.infrastructureEncryption"
The output should indicate Enabled.
Implementation Plan:
Using Azure Portal:
Go to Azure Database for PostgreSQL servers.
Select the PostgreSQL server.
Under Security, click on Data encryption.
Check the box for Infrastructure encryption enabled.
Click Save to apply the changes.
Using Azure CLI:
1. To enable infrastructure double encryption, run:
az postgres server create --resource-group <resource-group-name> --name <server-name> --location <location> --admin-user <admin-username> --admin-password <server-admin-password> --sku-name GP_Gen4_2 --version 11 --infrastructure-encryption Enabled
Backout Plan:
Using Azure Portal:
Go to Azure Database for PostgreSQL servers.
Under Data encryption, uncheck the Infrastructure encryption enabled box and save the settings.
Using Azure CLI:
1. To disable infrastructure encryption, run:
az postgres server update --resource-group <resource-group-name> --name <server-name> --infrastructure-encryption Disabled
References: