Beta

Microsoft Azure Security Technologies (AZ-500)

Database Security

Implement transparent data encryption

Transparent Data Encryption (TDE) is a vital Azure SQL security feature that protects your databases by encrypting data at rest and during backup operations. Enabling TDE ensures that your sensitive information remains secure without compromising performance.

Key Features of Transparent Data Encryption

TDE provides robust data protection with the following benefits:

  • Real-Time Encryption and Decryption:
    TDE performs on-the-fly encryption and decryption of I/O operations, ensuring a seamless user experience while maintaining high levels of data security.

  • Protection of Data at Rest:
    By encrypting all database files, TDE prevents unauthorized access to stored data, even if physical storage media are compromised.

  • Automatic Encryption Management:
    Azure SQL manages all encryption keys for you, including handling automatic rotations. For enhanced control, you can opt for customer-managed keys using Azure Key Vault.

  • Always On:
    TDE is enabled by default on Azure SQL databases, providing continuous protection from the moment a database is created.

  • Regulatory Compliance:
    Implementing TDE helps meet stringent data protection regulations by enforcing industry-standard encryption practices.

Note

Azure SQL uses a server-level encryption key provided by Microsoft by default. If you opt for customer-managed keys, ensure you configure your server correctly, as reverting to the service-managed key requires a specific setup.

Configuring TDE via the Azure Portal

To verify and review your TDE settings using the Azure Portal, follow these simple steps:

  1. Log in to the Azure Portal and navigate to your SQL database.
  2. Click on the Data Encryption section.
  3. Confirm that TDE is enabled by default to ensure that your database is protected.

The image shows a Microsoft Azure portal interface focused on SQL database settings, specifically the "Data Encryption" section, where Transparent Data Encryption is enabled.

When setting up custom key management, create a user-managed identity. This identity allows your database to securely communicate with Azure Key Vault to retrieve and manage your encryption keys.

Additional Security Options

Azure SQL also offers an encryption feature known as Always Encrypted, which protects sensitive data within your application by isolating encryption keys. While this article focuses on TDE, Always Encrypted provides an extra layer of defense and will be discussed in a future guide.

Warning

Although you can disable TDE, doing so is not recommended as it significantly reduces your database's security posture and may impact regulatory compliance.

Watch Video

Watch video content

Previous
Configure dynamic data masking
Next
Always encrypted