Public preview: TDE with customer managed keys on Azure SQL Hyperscale
Published May 29 2020 01:50 PM 5,770 Views

Azure SQL Transparent Data Encryption (TDE)  with customer-managed keys enables customers to control the key lifecycle management, permissions and operations of keys stored in their own Azure Key Vault. We are announcing the public preview of TDE with customer-managed keys on Azure SQL Database Hyperscale.

Quick start instructions with Azure CLI


1. Assign Azure AD identity to your server.


  • If it is a new server you are creating, then you can assign an AAD identity while creating it via az sql create
    az sql server create --name <servername> --resource-group <rgname>  --location <location> --admin-user <user> --admin-password <password> --assign-identity
  • If it is an existing server can use az sql server update.
    az sql server update --name <servername> --resource-group <rgname>  --location <location> --admin-user <user> --admin-password <password> --assign-identity

       You will need the principalId from the commands above to be able to grant permissions in step 4. Example output is below

 "identity": {
"principalId": "bbbbbfsfs-2fde-4890-a7ce-aaaaaaaaaaa",
"tenantId": "aaaaaf-aaf1-41af-aaab-2d7cd0bbbbbb",
"type": "SystemAssigned"

2.  Create a test Hyperscale database



az sql db create --name <dbname> --server <servername> --resource-group <rgname> -e Hyperscale -f Gen5 -c 2



3. Create a Key vault in the same region as your database server and a key if you do not already have one



az keyvault create --name <keyvaultname> --resource-group <rgname> --location <location> --enable-soft-delete true
az keyvault key create --name <keyname> --vault-name <keyvaultvname> --protection software



4. Grant Key vault permissions to your server Identity using the principalId from step1.



az keyvault set-policy --name <keyvaultvname> --object-id <principalID> --resource-group <rgname> --key-permissions wrapKey unwrapKey get



5. Obtain the kid from the key that was created in step 3 using the command below.



az keyvault key show --vault-name <keyvaultname> --name <keyname>



Snippet of output:

"kid": "",


6. Add the Key vault key to the server and set the TDE protector



az sql server key create --server <servername> --resource-group <rgname> --kid <keyID>
az sql server tde-key set --server <servername> --server-key-type AzureKeyVault  --resource-group <rgname> --kid <keyID>



7. Enable TDE at the database level. Note that the encryption could take a while depending on the database size and the tier.



az sql db tde set --database <dbname> --server <servername> --resource-group <rgname> --status Enabled



8. Check Encryption state and activity using CLI or powershell or TSQL




az sql db tde list-activity --database <dbname> --server <servername> --resource-group <rgname>  
# get whether encryption is on or off
az sql db tde show --database <dbname> --server <servername> --resource-group <rgname>



TSQL : sys.dm_database_encryption_keys



-- encryptor_type will be ASYMMETRIC KEY
SELECT database_id,encryptor_type,encryption_state, encryption_scan_state,percent_complete
key_algorithm, encryptor_thumbprint
FROM sys.dm_database_encryption_keys
WHERE database_id = DB_ID()



For more information please see requirements and recommendations for configuration customer-managed TDE


Azure SQL databases that have TDE with customer-managed keys on other tiers will be not able to update to Hyperscale tier and will fail with the error below:

Error message: 'The logical server is using customer managed key (AKV), switch to service managed key before moving to 'Hyperscale' edition. Update to service objective 'HS_Gen5_2' with customer managed key is not supported' for entity 'dbname'.


We will be addressing this before General availability of the feature. Upgrades of databases with customer managed keys are now available.


Let us know your experiences as you try this out on hyperscale!

Version history
Last update:
‎Nov 09 2020 09:40 AM
Updated by: