SQL Server TDE protector should be encrypted with a Key Vault CMK


With TDE, data is encrypted at rest with a symmetric data encryption key. Using Azure Key Vault Customer-Managed Key (CMK) allows users to have additional control over TDE encryption keys, and restricts who can access them and when. Key Vault offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.

Azure Portal

  • Navigate to SQL servers.

  • Select the SQL server.

  • In the left navigation, select Transparent data encryption.

  • Select Customer-managed key > Select a key > Change key.

  • In Key vault, select an existing key vault or create new key vault.

  • In Key, select an existing key or create a new key.

  • In Version, select an existing version or create new version.

  • Click Save.

Azure CLI

  • To encrypt a SQL Server with a Key Vault CMK:

az sql server tde-key set --resource-group <resourceName> --server <dbServerName> --server-key-type {AzureKeyVault} [--kid <keyIdentifier>]