Automated key rotation for TDE BYOK now available in preview for Azure SQL!
Published Aug 24 2022 12:18 AM 1,801 Views
Microsoft

Transparent data encryption (TDE) in Azure SQL Database and Managed Instance helps protect against the threat of malicious offline activity by encrypting data at rest.  TDE with Customer-Managed Key (CMK) enables Bring Your Own Key (BYOK) scenario for data protection at rest, by allowing a key stored in a customer-owned and customer-managed Azure Key Vault to be used as the TDE Protector on the server or managed instance.

 

When using TDE with Customer-Managed Key, one of the important responsibilities that customers need to perform on a regular basis is key rotation, that is, rotating the TDE Protector on the server by switching to a new key (or new version of the earlier key) from Azure Key Vault. Key rotation is a critical activity for an organization that is required to meet security and compliance objectives.

 

Automated key rotation for Azure SQL Database and Managed Instance is now available in preview, simplifying key management responsibilities for customers.

 

How does automated key rotation work

 

Automated rotation can be enabled when configuring Customer Managed Key (TDE protector) on an existing server or managed instance. When a particular key from Azure Key Vault is set as the TDE Protector for the server and auto-rotation is enabled, the server continuously checks the key vault for new versions of the key being used as the TDE protector. If a new version of the key is detected, the TDE protector on the server is automatically rotated to the latest key version.

 

Automated rotation in Azure SQL can be used together with automated key rotation in Azure Key Vault. Customers can configure a rotation policy on the key in their key vault to schedule automated rotation for the key, that is, a new version of the key will get automatically generated at a specified frequency. With automated rotated enabled in Azure SQL, the new key version gets automatically set as the TDE Protector for the server or managed instance. This enables end-to-end zero-touch key rotation for customers using TDE with CMK in Azure SQL.  

 

Quick steps to configure automatic rotation of TDE Protector on a SQL logical server

 

Use the Set-AzSqlServerTransparentDataEncryptionProtector PowerShell cmdlet to enable auto-rotation for the TDE Protector on the server.

 

Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId <keyVaultKeyId> `   -ServerName <logicalServerName> -ResourceGroup <SQLDatabaseResourceGroupName> `    -AutoRotationEnabled true

 

Apart from PowerShell, automated rotation can also be enabled via REST API, CLI and Azure Portal.

Note – The ability to enable automated rotation of TDE Protector from Azure Portal will be available in the coming weeks. Until then, REST API, PowerShell or CLI can be used to configure automated rotation.

 

Learn More 

  1. Automated rotation of TDE Protector - https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?...
  2. Geo-replication considerations when enabling automated rotation – https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?...
  3. Tutorial for automatic key rotation in Azure SQL - https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-key-rotat...
  4. Configure cryptographic key auto-rotation in Azure Key Vault - Configure cryptographic key auto-rotation in Azure Key Vault | Microsoft Docs

 

Automated key rotation further streamlines the Customer Managed Key experience for customers and organizations, providing simplified and flexible key management while removing the overhead of manually rotating keys, along with allowing better adherence to security and compliance guidelines w.r.t. key rotation policies.

 

Co-Authors
Version history
Last update:
‎Aug 24 2022 12:18 AM
Updated by: