Skip to content

Use SQL database TDE#

Security · SQL Database · Rule · 2020_06 · Critical

Use Transparent Data Encryption (TDE) with Azure SQL Database.

Description#

TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.

By default, TDE is enabled for all user-defined databases.

Recommendation#

Consider enabling Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.

Examples#

Configure with Azure template#

To deploy databases that pass this rule:

  • Configure a Microsoft.Sql/servers/databases/transparentDataEncryption sub-resource.
    • Set the properties.state to Enabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
  "apiVersion": "2023-08-01-preview",
  "name": "[format('{0}/{1}/{2}', parameters('name'), parameters('name'), 'current')]",
  "properties": {
    "state": "Enabled"
  },
  "dependsOn": [
    "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]"
  ]
}

Configure with Bicep#

To deploy databases that pass this rule:

  • Configure a Microsoft.Sql/servers/databases/transparentDataEncryption sub-resource.
    • Set the properties.state to Enabled.

For example:

Azure Bicep snippet
resource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2023-08-01-preview' = {
  parent: database
  name: 'current'
  properties: {
    state: 'Enabled'
  }
}

Configure with Azure CLI#

Azure CLI snippet
az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'

Configure with Azure PowerShell#

Azure PowerShell snippet
Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Comments