Skip to content

Use SQL database TDE#

Security · SQL Database · Rule · 2020_06 · Critical

Use Transparent Data Encryption (TDE) with Azure SQL Database.


TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.


Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.


Configure with Azure template#

Azure Template snippet
    "type": "Microsoft.Sql/servers/databases",
    "apiVersion": "2020-08-01-preview",
    "name": "[variables('dbName')]",
    "location": "[parameters('location')]",
    "sku": {
        "name": "[parameters('sku')]"
    "kind": "v12.0,user",
    "properties": {
        "collation": "SQL_Latin1_General_CP1_CI_AS",
        "maxSizeBytes": "[mul(parameters('maxSizeMB'), 1048576)]",
        "catalogCollation": "SQL_Latin1_General_CP1_CI_AS",
        "zoneRedundant": false,
        "readScale": "Disabled",
        "storageAccountType": "GRS"
    "resources": [
            "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
            "apiVersion": "2014-04-01",
            "name": "[concat(variables('dbName'), '/current')]",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('databaseName'))]"
            "properties": {
                "status": "Enabled"

Configure with Azure CLI#

Azure CLI snippet
az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'

Configure with Azure PowerShell#

Azure PowerShell snippet
Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled