Forum Discussion
CMK and Customer Certificate support for TDE - Azure SQL PAAS
hi experts,
I need bit of clarity as both CMK is supported for Azure SQL TDE ( Server and DB ) and also Certificate for protecting the DEK.
How these 2 concepts are different in protecting the DEK in Azure SQL PaaS.
CMK - https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql-mi
Certificate -
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver16
Does it mean I can protect the DEK with both Custom Customer Certificate as well as CMKs ?
Thank you
1 Reply
You cannot protect the DEK with both a custom certificate and a CMK in Azure SQL PaaS.
- Azure SQL Database/Managed Instance: Use CMK in Azure Key Vault for BYOK.
- SQL Server (on-premises/IaaS): Use certificates in the master database.
They are two different implementations of TDE depending on the deployment model.
