SQL Server TDE protector should be encrypted with a Key Vault CMK

Description

With TDE, data is encrypted at rest with a symmetric data encryption key. Using Azure Key Vault Customer-Managed Key (CMK) allows users to have additional control over TDE encryption keys, and restricts who can access them and when. Key Vault offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.

Azure Portal

• Navigate to SQL servers.

• Select the SQL server.

• In the left navigation, select Transparent data encryption.

• Select Customer-managed key > Select a key > Change key.

• In Key vault, select an existing key vault or create new key vault.

• In Key, select an existing key or create a new key.

• In Version, select an existing version or create new version.

• Click Save.

Azure CLI

• To encrypt a SQL Server with a Key Vault CMK:

az sql server tde-key set --resource-group <resourceName> --server <dbServerName> --server-key-type {AzureKeyVault} [--kid <keyIdentifier>]

Documentation Links

Azure Portal and CLI

• Azure SQL Transparent Data Encryption with customer-managed key

• Quickstart: Create a key vault using the Azure portal