General availability: Transparent Data Encryption with customer managed keys for Azure SQL
Posted on 19 April 2018
Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support for Azure SQL Database and Azure SQL Data Warehouse is now generally available.
With this capability, enterprise customers can protect sensitive data and meet regulatory or compliance needs that require key management controls. SQL Database and SQL Data Warehouse now support TDE with BYOK capability, in addition to TDE with server managed keys.
TDE with BYOK support uses Azure Key Vault. Key Vault is highly available and scalable secure storage for RSA cryptographic keys that are backed by FIPS 140-2 Level 2 validated hardware security modules. As an enterprise customer, you can generate your RSA key and import it to Key Vault to use with SQL Database and SQL Data Warehouse TDE with BYOK support.
You can control key rotations, key vault permissions, and key deletion, and turn on auditing and reporting by using Key Vault functionality. You can also turn on TDE with BYOK support at the logical server level for all available database or data warehouse tiers. You can toggle from using TDE with service-managed keys to customer-managed keys at no additional charge.
For more information, see the full blog post.