Microsoft Azure – TDE is Enabled in Azure SQL Database

Pre-requisite: Azure VM

Transparent Data Encryption

By encrypting data at rest, transparent data encryption (TDE) protects Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of unauthorized offline actions. Without requiring changes to the system, it enables real-time encryption and decryption of the database, associated backups, and transaction log files at rest.

TDE is enabled by default for all newly deployed Azure SQL Databases, but it must be enabled manually for older Azure SQL Database databases. TDE is enabled at the instance level and for newly generated databases in Azure SQL Managed Instance. For Azure Synapse Analytics, TDE must be manually activated.

At the page level, TDE performs real-time I/O encryption and decryption. When a page is read into memory, it is decrypted and then encrypted before being written to a disc. TDE uses a symmetric key called the Database Encryption Key to encrypt the storage of an entire database (DEK). The encrypted DEK is decrypted and utilized for decryption and re-encryption of database files in the SQL Server database engine process at database startup. 

TDE protector is an asymmetric key stored in Azure Key Vault or a service-managed certificate (service-managed transparent data encryption or customer-managed transparent data encryption). The TDE protector is set at the server level for Azure SQL Database and Azure Synapse, and it is inherited by all databases associated with that server. The TDE protector is set at the instance level for Azure SQL Managed Instance, and it is inherited by all encrypted databases on that instance. 

TDE can be enabled and disabled at the database level. To set TDE on and off on a database in Azure SQL Managed Instance, utilize Transact-SQL (T-SQL). After signing in using the Azure Administrator or Contributor account, you may manage TDE for the database on the Azure portal for Azure SQL Database and Azure Synapse. TDE options can be found in your user database. Service-managed transparent data encryption is utilized by default. For the server that hosts the database, a TDE certificate is generated automatically.

Steps to Manage TDE in the Azure portal:

Use the Azure portal to configure TDE, log in as an Azure Owner, Contributor, or SQL Security Manager, Go to all resources, 

Step 1: Log in to Azure Portal.

Login Azure Portal

Step 2: Go to View all resources.

Azure Resources Portal

Step 3: Select Azure SQL Database (i.e. geeksqldb) and go to Security to check or change transparent data encryption (TDE) status.

Azure SQL Database

Manage TDE by using Transact-SQL:

Connect to the user-created database in SQL Server Management Studio (SSMS) or Azure Data Studio by using a login that has an administrator role in the master database and run the below command: 

ALTER DATABASE (Azure SQL Database name) SET ENCRYPTION ON/OFF 

For Example:

Db Commands