Skip to main content

Description

Enable Transparent Data Encryption on every SQL Database.

Rationaleโ€‹

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Auditโ€‹

From Azure Portalโ€‹

  1. Go to SQL databases.
  2. For each DB instance, under Security, click Data Encryption.
  3. Under Transparent data encryption, ensure that Data encryption is set to On.

From Azure CLIโ€‹

Ensure the output of the following command is Enabled:

az sql db tde show \
    --resource-group {{resource-group-name}} \
    --server {{server-name}} \
    --database {{database-name}} \
    --query status

From PowerShellโ€‹

Get a list of SQL Servers:

Get-AzSqlServer

For each server, list the databases:

Get-AzSqlDatabase `
    -ServerName {{sql-server-name}} `
    -ResourceGroupName {{resource-group-name}}

For each database not listed as a Master database, check for Transparent Data Encryption:

Get-AzSqlDatabaseTransparentDataEncryption `
    -ResourceGroupName {{resource-group-name}} `
    -ServerName {{sql-server-name}} `
    -DatabaseName {{database-name}}

Make sure DataEncryption is Enabled for each database except the Master database.

From Azure Policyโ€‹

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Default Valueโ€‹

By default, Data encryption is set to On.

Referencesโ€‹

  1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database
  2. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default
  3. https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption?view=azps-9.2.0

Additional Informationโ€‹

  • Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level.
  • TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.