Public Preview of Transparent Data Encryption and Credential Rotation for Arc SQL Managed Instance
Published Jul 19 2023 11:48 AM 2,003 Views

We are thrilled to announce the Public Preview of Transparent Data Encryption (TDE) and Service-Managed Credential Rotation for Arc-enabled SQL Managed Instance. With a strong focus on data security and management, this release introduces cutting-edge features that ensure your sensitive information is protected.  


Transparent Data Encryption Overview 


Azure Arc-enabled SQL Managed Instance now supports a managed solution for encrypting-at-rest all your databases within a managed instance. TDE offers robust encryption to safeguard your data against unauthorized access.  


Transparent Data Encryption Modes 


There are two modes that a user can specify when using Transparent Data Encryption: Customer-managed and Service-managed. This feature can be enabled via the Kubernetes spec and az CLI. 



Customer-managed keys (CMK) 

Service-managed keys (SMK) 


Use Cases 

Businesses that would like full control on the certificates encrypting their data. 

Businesses that would like the arc-enabled data controller to manage the certificates for them. 

Businesses would like to manually manage encryption of each database and their managed instance themselves. 


User managed. Users bring the certificate to encrypt their data. 

Service managed. The service will create the certificate automatically. 

User managed. Users must manually load and enable encryption-at-rest on their managed instances. 

Deployment Process 

Users must create a Kubernetes secret with their certificate, then update their SQL MI Custom Resource spec. 

Users update their SQL MI Custom Resource spec. 

A series of Kubernetes exec commands as well as T-SQL commands for each database. 


Service Managed Credential Rotation Overview 


Azure Arc-enabled SQL Managed Instance now supports a simple way to rotate some service-managed credentials in your SQL Managed Instance for both the general purpose and business critical service tiers. The primary benefit of credential rotation is enhanced security. By automatically and regularly refreshing access credentials, potential security vulnerabilities due to compromised or outdated credentials are mitigated. This proactive approach significantly reduces the risk of unauthorized access and data breaches, ensuring that only authorized users have valid and up-to-date credentials to access sensitive information or critical systems. 


Credential Management 

Credential Types 

Documentation Link 


Most certificates, logins 

Rotate SQL Managed Instance service-managed credentials (preview) - Azure Arc | Microsoft Learn 


TLS certificate 

Rotate certificate Azure Arc-enabled SQL Managed Instance (indirectly connected) – Azure Arc | Micro... 


In conclusion, the Public Preview release of Transparent Data Encryption (TDE) and Credential Rotation for Arc-enabled SQL Managed Instance is aimed towards bolstering data security and management. With TDE, your sensitive information remains shielded from prying eyes, while Credential Rotation ensures that access credentials are automatically and seamlessly refreshed, providing protection against potential cyber threats. We invite you to take advantage of these cutting-edge features to fortify your data infrastructure and stay one step ahead of evolving security challenges.  

Version history
Last update:
‎Jul 19 2023 11:53 AM
Updated by: