1

As I understand from Microsoft's documentations, TDE is on by default and is managed automatically (if not choosing the option of BYOK). As a user with administrative permissions to the server, I can see all the data I want through MSSM Studio.

Even though I do see that TDE is enabled on every db created when entering the Azure portal, is there some way I can see the data in its encrypted form just to check that it's actually encrypted?

Also, if using the default option and not the BYOK option, does it mean that everything is managed for me and I can rest assured that my DBs are always protected without me needing to do anything about it?

CodeMonkey
  • 11,196
  • 30
  • 112
  • 203

1 Answers1

0

You cannot actually see the encrypted data as is. If you have the right to see the data you always get the decrypted data.

And yes, TDE is managed my MS if chosen as default.

From MS doc: Service-managed transparent data encryption

In Azure, the default setting for TDE is that the DEK is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256. If a database is in a geo-replication relationship, both the primary and geo-secondary databases are protected by the primary database's parent server key. If two databases are connected to the same server, they also share the same built-in certificate. Microsoft automatically rotates these certificates in compliance with the internal security policy and the root key is protected by a Microsoft internal secret store. Customers can verify SQL Database and SQL Managed Instance compliance with internal security policies in independent third-party audit reports available on the Microsoft Trust Center.

KarthikBhyresh-MT
  • 4,560
  • 2
  • 5
  • 12
  • Is there a way to change settings of the encryption? for example when to rotate the certificate or what not, but without using BYOK? Meaning control the life cycle but with an auto generated key? – CodeMonkey Nov 22 '21 at 13:05
  • unfortunately I could not find anything as such – KarthikBhyresh-MT Nov 22 '21 at 13:20
  • What about that last sentence there with the trust center? – CodeMonkey Nov 23 '21 at 22:49
  • https://servicetrust.microsoft.com/ these are reports on compliance and design implementation, i am not sure if they are the right team, but you can give it a try. – KarthikBhyresh-MT Nov 24 '21 at 01:56
  • Oh so it means its a compliance set by Microsoft without users being able to change its settings? – CodeMonkey Nov 24 '21 at 06:16
  • 1
    yes, managing, storing and rotating keys is done internally by MS following their internal policies, if you would want to verify if they are compliant with the standards, you can reach out to trust center – KarthikBhyresh-MT Nov 24 '21 at 06:40