Transparent Data Encryption with customer-managed keys for Azure SQL Hyperscale now available
Published Dec 08 2020 02:00 PM 4,382 Views

Transparent data encryption (TDE) in Azure SQL helps protect against the threat of malicious offline activity by encrypting data at rest. Customers using Azure SQL Database Hyperscale can now use a key stored in Azure Key Vault (AKV) as the TDE Protector for their server.


What new functionality is available as part of this announcement

With Bring Your Own Key (BYOK) support for TDE now available for Hyperscale databases, the TDE Protector that encrypts the Database Encryption Key can be stored in a customer-owned and managed Azure Key Vault (Azure's cloud-based external key management system). The TDE Protector can be generated in AKV or transferred to it from the customer’s on-premise security vault. The logical SQL server in Azure must be given to access the key stored in AKV.

The existing TDE with service-managed keys option will continue to be available and TDE encryption mode can be switched between service-managed or customer-managed keys.

Note – TDE BYOK functionality is already available for other service tiers in Azure SQL.




What are the benefits provided by TDE BYOK for HyperScale

  • TDE with customer-managed keys improves on service-managed keys by enabling central management of keys in Azure Key Vault, giving customers full and granular control over usage and management of the TDE protector
  • Users can control all key management tasks including key creation, upload, rotation, deletion, key usage permissions, key backups, along with enabling auditing/reporting of all operations performed on the TDE protectors
  • Organizations can use TDE BYOK to implement separation of duties between management of keys and data to help meet compliance with security policies
  • Azure Key Vault (AKV) provides a higher level of security assurance for government and financial customers and sensitive workloads via optional FIPS 140-2 Level 2 and Level 3 validated hardware security modules


Steps to enable TDE BYOK for a HyperScale database

Below are the steps needed to enable TDE with customer-managed keys for Hyperscale database(s).

  1. Assign Azure AD identity to your logical SQL server hosting the Hyperscale database
  2. Create (or use existing) key vault and key. Refer this tutorial for doing this through the Portal. Follow the requirements for configuring AKV and for TDE Protector keys.
  3. Grant permissions to your server to access the keys stored in Key Vault
  4. Add the Key Vault key to the server and set it as the TDE protector. This updates the server to use TDE with customer-managed key.
  5. Turn on TDE for the HyperScale database (if not already enabled).

For a comprehensive step-by-step tutorial on enabling TDE BYOK using Azure PowerShell or CLI, please refer our documentation.


Learn More

We hope TDE BYOK will provide Hyperscale customers with an enhanced experience for managing the encryption at rest keys for their data. 





Version history
Last update:
‎Dec 07 2020 03:29 PM
Updated by: