Skip to content

Use SQL database TDE#

Security · SQL Database · Rule · 2020_06 · Critical

Use Transparent Data Encryption (TDE) with Azure SQL Database.

Description#

TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.

Recommendation#

Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.

Examples#

Configure with Azure template#

Azure Template snippet
{
    "type": "Microsoft.Sql/servers/databases",
    "apiVersion": "2020-08-01-preview",
    "name": "[variables('dbName')]",
    "location": "[parameters('location')]",
    "sku": {
        "name": "[parameters('sku')]"
    },
    "kind": "v12.0,user",
    "properties": {
        "collation": "SQL_Latin1_General_CP1_CI_AS",
        "maxSizeBytes": "[mul(parameters('maxSizeMB'), 1048576)]",
        "catalogCollation": "SQL_Latin1_General_CP1_CI_AS",
        "zoneRedundant": false,
        "readScale": "Disabled",
        "storageAccountType": "GRS"
    },
    "resources": [
        {
            "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
            "apiVersion": "2014-04-01",
            "name": "[concat(variables('dbName'), '/current')]",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('databaseName'))]"
            ],
            "properties": {
                "status": "Enabled"
            }
        }
    ]
}

Configure with Azure CLI#

Azure CLI snippet
az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'

Configure with Azure PowerShell#

Azure PowerShell snippet
Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled

Comments