Verify that SQL server's Transparent Data Encryption (TDE) protector is encrypted

Framework Reference: A.8.24 Integration: Azure – SQL Server

Why this matters

Using Customer-managed keys (CMKs) for Transparent Data Encryption (TDE) enhances security and compliance by giving organizations full control over the encryption keys used to secure data at rest. This reduces reliance on Microsoft-managed keys and enables stronger separation of duties, key rotation policies, and auditing.

Without CMKs, encryption relies on Microsoft-managed keys, which limits visibility and may fall short of regulatory requirements for sensitive workloads.


What this check does

This Auto Check verifies that the TDE protector for an Azure SQL Server is encrypted using a key stored in Azure Key Vault.

Check Logic

Passes if:

  • serverKeyType = AzureKeyVault
  • kind = azurekeyvault
  • uri is not null

Fails if:

  • serverKeyType = ServiceManaged or other unmanaged types

Applies to:

  • Azure SQL Server
  • Azure SQL Managed Instance

How to fix it

Azure Portal

  1. Go to SQL servers
  2. Select the desired server
  3. Click Transparent data encryption
  4. Select Customer-managed key
  5. Choose or create a key in Azure Key Vault
  6. Check Make selected key the default TDE protector
  7. Save

Azure CLI

az sql server tde-key set \  --resource-group <resourceGroupName> \  --server <serverName> \  --server-key-type AzureKeyVault \  --kid <keyIdentifier>

PowerShell

Set-AzSqlServerTransparentDataEncryptionProtector `  -Type AzureKeyVault `  -KeyId <KeyIdentifier> `  -ServerName <ServerName> `  -ResourceGroupName <ResourceGroupName>


Exceptions

There are no general exceptions. If the workload is non-sensitive or not subject to compliance requirements, Microsoft-managed keys may be acceptable. Any deviation should be documented with a clear risk justification.


Further resources

Was this article helpful?