We are thrilled to announce that ledger in Azure SQL Managed Instance is now generally available! This feature enables you to store and protect sensitive data in a tamper-evident and cryptographically verifiable way, using the same familiar SQL interface. Ledger is designed to meet the highest standards of security and compliance, and it is ideal for scenarios such as financial transactions, healthcare records, audit logs, and more. With ledger, you can enjoy the benefits of a fully managed and scalable cloud database service, while ensuring the integrity and immutability of your data. The data is centrally managed, and you can cryptographically attest to other parties, such as auditors or other business parties, that your data is trusted and isn’t tampered with.
How it works
The way ledger in Azure SQL Managed Instance works is the same as in Azure SQL Database and SQL Server 2022. Each transaction that the managed database executes is cryptographically hashed (SHA-256). Transactions are then cryptographically linked together, like a blockchain. Cryptographically hashed database digests represent the state of the database. They're periodically generated and stored outside the managed database in a tamper-proof storage location such as Azure immutable Blob storage or Azure Confidential Ledger.
All historical ledger table data is transparently maintained in the database system and exposed to users for auditing and forensic purposes. Historical data is used to analyze the executed operations and detect unexpected or malicious modifications. However, malicious high privileged users or cloud operators can update the content of ledger tables, using other techniques like writing directly to the data files, and tamper with the data. These "under the covers attacks" are detected through cryptographic verification. Database digests are used by auditors, business partners (in case of a multi-party scenario) or even end users to execute the database verification process that recomputes the hashes in the database and compares them to the input hashes provided by the user. When the verification is successful, you have cryptographic proof that your data is fully trusted.
Get started today
When creating a new database in an Azure SQL Managed Instance using the portal, go to the Security section to enable automatic digest storage or to configure a ledger database. Other options like PowerShell and Azure CLI can also be used. Updatable and append-only ledger tables are supported by default in an Azure SQL Managed Database.