Profile Applicability:
Level 2
Description:
Transparent Data Encryption (TDE) with Customer-managed key support provides increased control over the TDE Protector, improved security with an HSM-backed external service, and promotes separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key), which is stored in the database or data warehouse distribution. To protect this data encryption key (DEK), customer-managed key support allows the DEK to be protected with an asymmetric key stored in Azure Key Vault.
Rationale:
Customer-managed key support for TDE allows users to control TDE encryption keys and restricts access to them. Using an external key management system, such as Azure Key Vault, gives organizations more flexibility and security, ensuring that the DEK is protected by a key that the customer manages. This is critical for regulatory compliance, data protection, and improving the overall security of stored data.
Impact:
Pros:
Provides users with complete control over their encryption keys.
Ensures that data encryption and decryption are governed by policies set by the user.
Enhances security by using Azure Key Vault, a highly available and scalable cloud-based key store that integrates with hardware security modules (HSMs).
Supports separation of duties by separating the management of encryption keys from the database service.
Cons:
Requires additional management overhead, as the customer is responsible for the key management, including key rotation and protection.
It’s essential to ensure key management best practices, including the use of HSM-backed key storage.
Default Value:
By default, SQL servers use platform-managed keys (PMK) for TDE.
Pre-requisites:
Ensure that an Azure Key Vault is available and configured for key storage. Also, ensure that the appropriate permissions are granted to SQL servers to access the key in Key Vault.
Remediation
Test Plan:
Using Azure Portal:
Go to SQL servers in the Azure Portal.
For the desired server instance, click on Transparent Data Encryption.
Ensure that Customer-managed key is selected.
Ensure that the option Make selected key the default TDE protector is checked.
Using Azure CLI:
1. Run the following command to verify that the SQL server is using a customer-managed key for TDE:
az sql server tde-key show --resource-group <resource-group-name> --server <server-name>
Ensure that the kind is set to azurekeyvault and that the serverKeyType is AzureKeyVault.
Implementation Plan:
Using Azure Portal:
Navigate to SQL servers in the Azure Portal.
For the desired server, go to Transparent Data Encryption.
Select Customer-managed key and choose an existing key or create a new one in Azure Key Vault.
Ensure Make selected key the default TDE protector is selected.
Click Save to apply the changes.
Using Azure CLI:
1. To enable TDE with a Customer-managed key, run the following command:
az sql server tde-key set --resource-group <resource-group-name> --server <server-name> --server-key-type AzureKeyVault --kid <key-identifier>
Backout Plan:
Using Azure Portal:
Go to SQL servers and navigate to Transparent Data Encryption.
Change the TDE protector back to the platform-managed key (PMK) if necessary.
Using Azure CLI:
1. To revert to using platform-managed keys, run:
az sql server tde-key set --resource-group <resource-group-name> --server <server-name> --server-key-type ServiceManaged
References: