Verify that SQL server's Transparent Data Encryption (TDE) protector is encrypted
Why this matters
Using Customer-managed keys (CMKs) for Transparent Data Encryption (TDE) enhances security and compliance by giving organizations full control over the encryption keys used to secure data at rest. This reduces reliance on Microsoft-managed keys and enables stronger separation of duties, key rotation policies, and auditing.
Without CMKs, encryption relies on Microsoft-managed keys, which limits visibility and may fall short of regulatory requirements for sensitive workloads.
What this check does
This Auto Check verifies that the TDE protector for an Azure SQL Server is encrypted using a key stored in Azure Key Vault.
Check Logic
Passes if:
serverKeyType = AzureKeyVault
kind = azurekeyvault
uri
is not null
Fails if:
serverKeyType = ServiceManaged
or other unmanaged types
Applies to:
- Azure SQL Server
- Azure SQL Managed Instance
How to fix it
Azure Portal
- Go to SQL servers
- Select the desired server
- Click Transparent data encryption
- Select Customer-managed key
- Choose or create a key in Azure Key Vault
- Check Make selected key the default TDE protector
- Save
Azure CLI
az sql server tde-key set \
--resource-group <resourceGroupName> \
--server <serverName> \
--server-key-type AzureKeyVault \
--kid <keyIdentifier>
PowerShell
Set-AzSqlServerTransparentDataEncryptionProtector `
-Type AzureKeyVault `
-KeyId <KeyIdentifier> `
-ServerName <ServerName> `
-ResourceGroupName <ResourceGroupName>
Exceptions
There are no general exceptions. If the workload is non-sensitive or not subject to compliance requirements, Microsoft-managed keys may be acceptable. Any deviation should be documented with a clear risk justification.