Microsoft AzureOverview
Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. Only a certificate that the Azure SQL Service managed could be used to protect this data encryption key (DEK) in the past. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.
Based on business needs or the criticality of data/databases hosted on an SQL server, it is recommended that the TDE protector be encrypted by a key managed by the data owner (Customer-managed key).
Rationale
Customer-managed key support for Transparent DataEncryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure's cloud-based external key management system is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all the databases under that server.
Impact
Once TDE protector is encrypted with a Customer-managed key, it transfers the entire responsibility of key management on to the user, hence the user should be careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible.
When deploying Customer-Managed Keys, it is also prudent to ensure that an automated toolset for managing these keys is deployed (this should include discovery and key rotation). Keys should be stored in an HSM or hardware-backed keystore such as Azure Keyvault.
Check with your cryptographic key provider for toolsets. They may well offer one as an add-on to their service.
Remediation guidance
From Azure Console
- Open the SQL server using the
Open in Azurebutton - Under
Security, clickTransparent data encryption - Select
Customer-managed key - Click
Select a keyandChange keyto browse through existing keys orEnter a key identifier - After filling in all the necessary information, check
Make this key the default TDE protector - Select
Save
Using Azure CLI
Use the below command to encrypt the SQL server's TDE protector with a Customer-managed key:
az sql server tde-key set --resource-group <resourceName> --server <dbServerName> --server-key-type AzureKeyVault --kid '<keyIdentifier>'
Using Azure PowerShell
Use the below command to encrypt the SQL server's TDE protector with a Customer-managed key vault key:
Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId '<keyIdentifier>' -ServerName -ResourceGroupName <resourceGroup>
Select Y when prompted.
Default Value
By default, a Microsoft-managed TDE protector is enabled for an SQL server.
References
- https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql
- https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/
- https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required
- https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts
- https://learn.microsoft.com/en-us/cli/azure/sql/server/tde-key?view=azure-cli-latest
- https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0
- https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0
Additional Information
- This configuration is audited or can be done only on an SQL server. The same configuration will affect SQL Databases hosted on SQL Server.
Ensuring TDE is protected by a customer-managed key on SQL Server does not ensure the encryption of SQL Databases. The
Transparent Data Encryption: Data Encryption (ON/OFF)setting on each SQL Database decides whether the database is encrypted or not.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure SQL Servers without TDE protector key encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
OR: [
{ encryptionProtector: null }
{ encryptionProtector: { serverKeyType: "ServiceManaged" } }
]
}
) {
...AssetFragment
}
}
