Transparent data encryption (TDE) in Azure SQL Database and Managed Instance helps protect against the threat of malicious offline activity by encrypting data at rest. Azure SQL TDE with Customer-Managed Key (CMK) enables Bring Your Own Key (BYOK) scenario for data protection at rest, and allows customer to have full control of the key lifecycle management.
The ability to use an RSA key stored in Azure Key Vault Managed HSM, for customer-managed TDE (TDE BYOK) in Azure SQL Database and Managed Instance is now generally available.
With this, along with the existing option of using Azure Key Vault (standard and premium tiers), customers now have the flexibility to use Managed HSMs for storing their encryption keys to protect their most confidential workloads in Azure SQL.
What is Managed HSM?
Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables customers to safeguard cryptographic keys for their cloud applications, using FIPS (Federal Information Protection Standard) 140-2 Level 3 validated HSMs.
Managed HSM is built on Azure's confidential computing platform. Azure confidential computing protects the confidentiality and integrity of your data and code while it's processed in the public cloud.
Managed HSMs provide multiple benefits such as centralized key management, isolated access control (local RBAC), private endpoints, data residency, etc.
Quick steps to configure TDE BYOK on a SQL logical server using Managed HSM
Learn More
With Managed HSM availability for customer-managed TDE in Azure SQL, customers can now bring their most sensitive workloads to Azure that require higher security (single-tenant, isolation, local RBAC), compliance (FIPS 140-2 Level 3 validated HSMs) and throughput for key management.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.