Preview: SQL Transparent Data Encryption (TDE) with Bring Your Own Key support

Posted on 28 August, 2017

Program Manager, Azure SQL Database

We’re glad to announce the preview of Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support for Azure SQL Database and Azure SQL Data Warehouse! Now you can have control of the keys used for encryption at rest with TDE by storing these master keys in Azure Key Vault.

TDE with BYOK support gives you increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.

When you use TDE, your data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, you could only use a certificate that the Azure SQL Service managed. Now, with BYOK support for TDE, you can protect the DEK with an asymmetric key that is stored in Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.

All the features of Azure SQL Database and SQL Data Warehouse will work with TDE with BYOK support, and you can start enabling TDE with a key from Key Vault today using Azure Portal, PowerShell, and REST API.

In the Azure Portal, we’ve kept the experience simple. Let’s go over three common scenarios.

Enabling TDE

We’ve kept the same simple experience for enabling TDE on the database or data warehouse.

Public Preview of Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support

Setting a TDE Protector

On the server, you can now choose to use your own key as the TDE Protector for the databases and data warehouses on your server. Browse through your key vaults to select an existing key or create a new key in Key Vault.

 

Public Preview of Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support

Rotating Your Keys

You can rotate your TDE Protector through Key Vault, by adding a new version to the current key. You can also switch the TDE Protector to another key in Key Vault or back to a service-managed certificate at any time. The Azure SQL service will pick up these changes automatically. Rotating the TDE Protector is a fast online process: instead of re-encrypting all data, the rotation re-encrypts the DEK on each database and data warehouse distribution using the TDE Protector.

Public Preview of Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support

Integrating BYOK support for SQL TDE allows you to leverage the benefits of TDE as an encryption feature and Key Vault as an external key management service.

You can get started by visiting the Azure Portal or the how-to guide using PowerShell today. To learn more about the feature including best practices, watch our Channel 9 video or visit Transparent Data Encryption with Bring Your Own Key support.

Tell us what you think about TDE with BYOK by visiting the SQL Database and SQL Data Warehouse forums.