SQL Server TDE protector should be encrypted with a Key Vault CMK¶
Description¶
With TDE, data is encrypted at rest with a symmetric data encryption key. Using Azure Key Vault Customer-Managed Key (CMK) allows users to have additional control over TDE encryption keys, and restricts who can access them and when. Key Vault offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Azure Portal¶
Navigate to SQL servers.
Select the SQL server.
In the left navigation, select Transparent data encryption.
Select Customer-managed key > Select a key > Change key.
In Key vault, select an existing key vault or create new key vault.
In Key, select an existing key or create a new key.
In Version, select an existing version or create new version.
Click Save.
Azure CLI¶
To encrypt a SQL Server with a Key Vault CMK:
az sql server tde-key set --resource-group <resourceName> --server <dbServerName> --server-key-type {AzureKeyVault} [--kid <keyIdentifier>]