Public Preview of Transparent Data Encryption and Credential Rotation for Arc SQL Managed Instance
Published Jul 19 2023 11:48 AM 3,833 Views
Microsoft

We are thrilled to announce the Public Preview of Transparent Data Encryption (TDE) and Service-Managed Credential Rotation for Arc-enabled SQL Managed Instance. With a focus on data security, this release introduces features to ensure that your sensitive information is protected.  

 

Transparent Data Encryption Overview 

 

Azure Arc-enabled SQL Managed Instance now supports a managed solution for encrypting-at-rest all your databases within a managed instance. TDE offers robust encryption to safeguard your data.  

 

Transparent Data Encryption Modes 

 

There are two modes that a user can specify when using Transparent Data Encryption: Customer-managed and Service-managed. This feature can be enabled via the Kubernetes spec and az CLI. 

 

 

Customer-managed keys (CMK) 

Service-managed keys (SMK) 

Disabled 

Use Cases 

Businesses that would like full control on the certificates encrypting their data. 

Businesses that would like the arc-enabled data controller to manage the certificates for them. 

Businesses would like to manually manage encryption of each database and their managed instance themselves. 

Characteristics 

User managed. Users bring the certificate to encrypt their data. 

Service managed. The service will create the certificate automatically. 

User managed. Users must manually load and enable encryption-at-rest on their managed instances. 

Deployment Process 

Users must create a Kubernetes secret with their certificate, then update their SQL MI Custom Resource spec. 

Users update their SQL MI Custom Resource spec. 

A series of Kubernetes exec commands as well as T-SQL commands for each database. 

 

Service Managed Credential Rotation Overview 

 

Azure Arc-enabled SQL Managed Instance now supports a simple way to rotate some service-managed credentials in your SQL Managed Instance for both the general purpose and business critical service tiers. The primary benefit of credential rotation is enhanced security. By regularly refreshing access credentials, potential security vulnerabilities due to compromised or outdated credentials are mitigated. 

 

Credential Management 

Credential Types 

Documentation Link 

Service-managed 

Most certificates, logins 

Rotate SQL Managed Instance service-managed credentials (preview) - Azure Arc | Microsoft Learn 

Customer-managed 

TLS certificate 

Rotate certificate Azure Arc-enabled SQL Managed Instance (indirectly connected) – Azure Arc | Micro... 

 

Overall, the Public Preview release of Transparent Data Encryption (TDE) and Credential Rotation for Arc-enabled SQL Managed Instance increases data security and management. With TDE, your sensitive information will be protected, and Credential Rotation ensures that access credentials are seamlessly refreshed for increased security

Co-Authors
Version history
Last update:
‎Jan 16 2024 11:43 AM
Updated by: