Transparent data encryption (TDE) in Azure SQL helps protect against the threat of malicious offline activity by encrypting data at rest. Customers using Azure SQL Database Hyperscale can now use a key stored in Azure Key Vault (AKV) as the TDE Protector for their server.
What new functionality is available as part of this announcement
With Bring Your Own Key (BYOK) support for TDE now available for Hyperscale databases, the TDE Protector that encrypts the Database Encryption Key can be stored in a customer-owned and managed Azure Key Vault (Azure's cloud-based external key management system). The TDE Protector can be generated in AKV or transferred to it from the customer’s on-premise security vault. The logical SQL server in Azure must be given to access the key stored in AKV.
The existing TDE with service-managed keys option will continue to be available and TDE encryption mode can be switched between service-managed or customer-managed keys.
Note – TDE BYOK functionality is already available for other service tiers in Azure SQL.
What are the benefits provided by TDE BYOK for HyperScale
Steps to enable TDE BYOK for a HyperScale database
Below are the steps needed to enable TDE with customer-managed keys for Hyperscale database(s).
For a comprehensive step-by-step tutorial on enabling TDE BYOK using Azure PowerShell or CLI, please refer our documentation.
We hope TDE BYOK will provide Hyperscale customers with an enhanced experience for managing the encryption at rest keys for their data.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.