Transparent data encryption with customer-managed keys for Azure SQL Database managed instance is now generally available
Updated: November 05, 2019
Transparent data encryption (TDE) with customer-managed keys for Azure SQL Database managed instance is now generally available. This capability enables bring-your-own-key (BYOK) scenario for data protection at rest and allows organizations to separate management duties for keys and data.
With customer-managed transparent data encryption, the customer is responsible for, and in full control of, key lifecycle management including key creation, upload, rotation, deletion, key vault permissions, and auditing of operations on keys. This is achieved through the integration of Azure SQL Database managed instance with Azure Key Vault. Key Vault is highly available and scalable secure storage for RSA cryptographic keys, backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). It’s possible to transparently switch between service-managed keys and customer-managed keys at any time.
For a detailed overview, read this article