Use SQL database TDE#
Security · SQL Database · Rule · 2020_06
Use Transparent Data Encryption (TDE) with Azure SQL Database.
Description#
TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.
Recommendation#
Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.
Examples#
Configure with Azure template#
Azure Template snippet
{
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2020-08-01-preview",
"name": "[variables('dbName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('sku')]"
},
"kind": "v12.0,user",
"properties": {
"collation": "SQL_Latin1_General_CP1_CI_AS",
"maxSizeBytes": "[mul(parameters('maxSizeMB'), 1048576)]",
"catalogCollation": "SQL_Latin1_General_CP1_CI_AS",
"zoneRedundant": false,
"readScale": "Disabled",
"storageAccountType": "GRS"
},
"resources": [
{
"type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
"apiVersion": "2014-04-01",
"name": "[concat(variables('dbName'), '/current')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('databaseName'))]"
],
"properties": {
"status": "Enabled"
}
}
]
}
Configure with Azure CLI#
Azure CLI snippet
az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'
Configure with Azure PowerShell#
Azure PowerShell snippet
Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled
Links#
Last update:
2022-12-03