azureazure-sql-databasetde

How to check that TDE is enabled and working in Azure Sql Database


As I understand from Microsoft's documentations, TDE is on by default and is managed automatically (if not choosing the option of BYOK). As a user with administrative permissions to the server, I can see all the data I want through MSSM Studio.

Even though I do see that TDE is enabled on every db created when entering the Azure portal, is there some way I can see the data in its encrypted form just to check that it's actually encrypted?

Also, if using the default option and not the BYOK option, does it mean that everything is managed for me and I can rest assured that my DBs are always protected without me needing to do anything about it?


Solution

  • You cannot actually see the encrypted data as is. If you have the right to see the data you always get the decrypted data.

    And yes, TDE is managed my MS if chosen as default.

    From MS doc: Service-managed transparent data encryption

    In Azure, the default setting for TDE is that the DEK is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256. If a database is in a geo-replication relationship, both the primary and geo-secondary databases are protected by the primary database's parent server key. If two databases are connected to the same server, they also share the same built-in certificate. Microsoft automatically rotates these certificates in compliance with the internal security policy and the root key is protected by a Microsoft internal secret store. Customers can verify SQL Database and SQL Managed Instance compliance with internal security policies in independent third-party audit reports available on the Microsoft Trust Center.