Demystifying Azure Security - Azure SQL Database - Transparent Data Encryption@20aman Feb 17, 2018
This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index
Transparent Data Encryption (TDE) is the automated encryption of your data at rest. If configured it encrypts your database, backups of the database and transactional log files at rest. Normally this is configured by default to provide you with an additional layer of security. If this is not configured then you will get a recommendation to configure it in the Azure Security Center.
Turing Off Transparent data encryption will result in decryption of the complete database and will leave your data vulnerable. When you turn it back On then the database will be encrypted again. Depending upon the size of your database, it may take some time to turn the TDE on or off due to the underlying encryption/decryption process.
This service does not require any changes at the application level. Behind the scene, transparent data encryption performs real-time I/O encryption and decryption of the data at the page level. Each page is decrypted when it's read into memory and then encrypted before being written to disk.
Note: Even if the database is encrypted with TDE, when you take an export of the database (e.g. creation of BACPAK file) then the backup file is created without encryption. You need to ensure that you safeguard/encrypt the backup files before sharing these on an open network.
Configuring TDE at the Database level
Transparent Data Encryption (TDE) can be enabled or disabled at every individual Database level. The configuration is a very simple toggle between on and off. To configure this, navigate to your Azure SQL Database. In the settings, select "Transparent Data Encryption". The set the value for "Data Encryption" On or Off.
Notice the Encryption status. If you want your data to be encrypted, then the encryption status should say "Encrypted" with a green tick mark.
Configuring to use your own Key with TDE
You can use your own Key for encryption with Transparent Data Encryption. If you do not configure to use your own key, then a service managed certificate is used for encryption and decryption.
To do this you will need to upload your key to an Azure Key Vault or generate a new key within the Key Vault, which is very easy to configure. Once you have a key in an Azure Key Vault, you will be able to use the same with Transparent Data Encryption (TDE).
This setting can't be configured at a Database level. Instead, this has to be configured at the server level. Navigate to the underlying Azure SQL Server (where the SQL Database is hosted). Then follow the below steps:
- In the settings, click on the Transparent Data Encryption
- Select "Yes" to Use your own key.
- Then click on "Select a Key" and then select the key from your Azure Key Vault. Alternatively, you can select to "Enter Key Identifier".
- Once the key is configured, select "Save" to save the settings.
This option provides you with all the security at the data level (at rest) while ensuring you have complete control over the process.