MEDIUM
Source
CloudSploit
ID
tde-protector-encrypted

TDE Protector Encrypted

Ensures SQL Server TDE protector is encrypted with BYOK (Bring Your Own Key)

Enabling BYOK in the TDE protector allows for greater control and transparency, as well as increasing security by having full control of the encryption keys.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the Microsoft Azure Management Console.

  2. Select the “Search resources, services, and docs” option at the top and search for “SQL servers”. Step

  3. On the “SQL server” page, select the SQL server that needs to be examined. Step

  4. On the selected “SQL server” page, scroll down the left navigation panel and select “Transparent data encryption” under the “Security”.Step

  5. On the “Transparent data encryption” page, if “Transparent data encryption” is set to “Service-managed key” then the selected “SQL server TDE protector” is not encrypted with BYOK (Bring Your Own Key).Step

  6. To ensure that a custom BYOK is used, select “Customer-managed key” for “Transparent data encryption”.Step

  7. Under “Key selection method” choose “Select a key” and click on “Change key” under “Key”.Step

  8. In the “Select a key” page, select the “Key vault” under “Key store type” and then select desired “Key” and “version” accordingly. Click on “Select” button at the bottom to proceed.Step

  9. Click on the “Save” button at the top to make the necessary changes.Step

  10. Reepat steps number 3 - 9 to ensure that a BYOK key is set for the Transparent Data Encryption of each SQL Server.