Transparent Data Encryption (TDE) with customer managed keys for Managed Instance

Gepost op 17 december, 2018

Senior Program Manager, Azure SQL Database Security

We are excited to announce the public preview of Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support for Microsoft Azure SQL Database Managed Instance. Azure SQL Database Managed Instance is a new deployment option in SQL Database that combines the best of on-premises SQL Server with the operational and financial benefits of an intelligent, fully-managed relational database service. 

TDE with BYOK support has been generally available for single databases and elastic pools since April 2018. It is one of the most frequently requested capabilities by enterprise customers who are looking to protect data at rest, or meet regulatory and compliance obligations that require implementation of specific key management controls. TDE with BYOK support is offered in addition to TDE with service managed keys which is enabled on all new Azure SQL Databases, single databases, pools, and managed instances by default.

TDE with BYOK support uses Azure Key Vault, which provides highly available and scalable secure storage for RSA cryptographic keys backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Azure Key Vault streamlines the key management process and enables customers to maintain full control of encryption keys, including managing and auditing key access.

Customers can generate and import their RSA key to Azure Key Vault and use it with Azure SQL Database TDE with BYOK support for their managed instances. Azure SQL Database handles the encryption and decryption of data stored in databases, log files, and backups in a fully transparent fashion by using a symmetric Database Encryption Key (DEK) which is in turn protected using the customer managed key called TDE Protector stored in Azure Key Vault.

Access control transition from Azure SQL Database to Azure Key Vault flow chart

Customers can rotate the TDE Protector in Azure Key Vault to meet their specific security requirements or any industry specific compliance obligations. When the TDE Protector is rotated, Azure SQL Database detects the new key version within minutes and re-encrypts the DEK used to encrypt data stored in databases. This does not result in re-encryption of the actual data and there is no other action required from the user.

Customers can also revoke access to encrypted managed instances by revoking access to the managed instance’s TDE Protector stored in Azure Key Vault. There are several ways to revoke access to keys stored in Azure Key Vault. Please refer to the Azure Key Vault PowerShell and Azure Key Vault CLI documentation for more details. Revoking access in Azure Key Vault will effectively block access to all databases when the TDE Protector is inaccessible by the Azure SQL Database managed instance.

Azure SQL Database requires soft delete to be enabled in Azure Key Vault to protect the TDE Protector against accidental deletion.

You can get started today by visiting the Azure portal, reviewing REST API for Managed Instance, and the how-to guide for using PowerShell documentation. To learn more about the feature including best practices and to review our configuration checklist see our documentation “Azure SQL Transparent Data Encryption: Bring Your Own Key support.”