Create an Azure SQL Server, with data encryption protector

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Visualize

This template creates an Azure SQL server, and activate the data encryption protector with the "bring your own key". For that, you will need to provide the Key Vault, and the Key to use.

In order to use an already in place Key Vault, it needs to have the property "soft-delete" enable. You can only do that using command lines (either Powershell or CLI)

Alternatively, you can use the PowerShell file included in this directory to create a Key Vault and generate a key.

Then, the arm template will achieve the following:

  • Create the Azure SQL server
  • Add the SQL server principalID access to the given Key Vault (permissions 'get', 'wrapLey' and 'unwrapKey')
  • Add a new key at the SQL server level, with the Key value from the Vault
  • And finally, activate the protector using the key created before

Tags: Microsoft.Sql/servers, SystemAssigned, Microsoft.Resources/deployments, Microsoft.KeyVault/vaults/accessPolicies, Microsoft.Sql/servers/keys, Microsoft.Sql/servers/encryptionProtector, Microsoft.ManagedIdentity/userAssignedIdentities, Microsoft.Authorization/roleAssignments, Microsoft.KeyVault/vaults, Microsoft.Resources/deploymentScripts, userAssigned