Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use BYOK for Transparent Data Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Sql-011

Ensure that your Microsoft Azure SQL server's Transparent Data Encryption protector (i.e. TDE master key) is encrypted with BYOK (Bring Your Own Key), also known as Customer-Managed Key (CMK), in order to protect your SQL databases with a key from your own Azure key vault.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Customer-Managed Key (CMK) support for Transparent Data Encryption (TDE) allows user access control over TDE encryption keys, i.e. decide who can access the TDE keys and when. Azure Key Vault – a cloud-based external key management system developed by Microsoft Azure, is the first key management service where the SQL Transparent Data Encryption has integrated support for Customer-Managed Keys (CMKs). With CMK-based encryption, the database encryption key is protected by an asymmetric key stored in your Azure key vault. The asymmetric key is configured at the SQL server level and inherited by all databases created on the server.

Audit

To determine the type of the encryption key used for Transparent Data Encryption (TDE) protector, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to examine.

04 From the Type equals filter box, select SQL server and choose Apply to list only the SQL servers available in your Azure account.

05 Click on the name (link) of the SQL database server that you want to examine.

06 In the resource navigation panel, under Security, choose Transparent data encryption to access the encryption settings available for the selected SQL server.

07 Check the Transparent data encryption configuration setting value to determine the type of the encryption key used for the selected Azure cloud resource. If Transparent data encryption is set to Service-managed key, the Transparent Data Encryption (TDE) feature is using a service-managed key instead of a Customer-Managed Key (CMK) for the selected Microsoft Azure SQL server.

08 Repeat steps no. 5 – 7 for each SQL database server provisioned within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run sql server list command (Windows/macOS/Linux) using custom query filters to list the identifier for each SQL server available in the current Azure subscription: 

az sql server list
  --query '[*].id'

02 The command output should return the requested SQL server identifiers: 

[
	"/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-project5-sql-server",
	"/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-ms-azure-sql-server"
]

03 Run sql server tde-key show command (Windows/macOS/Linux) using the name of the Azure SQL server that you want to examine as the identifier parameter and custom query filters to describe the type of the encryption key used by Transparent Data Encryption for the selected SQL server: 

az sql server tde-key show
  --ids /subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-project5-sql-server
  --query 'serverKeyType'

04 The command output should return the type of the encryption protector (i.e. encryption key) used for the selected SQL server: 

"ServiceManaged"

If the sql server tde-key show command output returns "ServiceManaged", as shown in the example above, the Transparent Data Encryption (TDE) feature is using a service-managed key instead of a Customer-Managed Key (CMK) for the selected Azure SQL server.

05 Repeat steps no. 3 and 4 for each SQL database server provisioned in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To configure Transparent Data Encryption (TDE) to encrypt your Microsoft Azure SQL database servers with your own Customer-Managed Key (CMK), perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to examine.

04 From the Type equals filter box, select SQL server and choose Apply to list only the SQL servers available in your Azure account.

05 Click on the name of the SQL database server that you want to reconfigure.

06 In the navigation panel, under Security, choose Transparent data encryption to access the encryption settings available for the selected SQL server.

07 On the Transparent data encryption configuration panel, perform the following operations:

  1. For Transparent data encryption select Customer-managed key.
  2. For Key selection method choose Select a key.
  3. ForKeychoose Change key under Select a key.
  4. For Select a key, choose the key vault, the encryption key, and the key version that you want to use for Transparent Data Encryption (TDE). If you don't have these resources already available, follow the Azure Portal setup wizard to create them.
  5. Select the Make this key the default TDE protector checkbox to set the selected Customer-Managed Key (CMK) as the default key for the Transparent Data Encryption (TDE) protector.
  6. Select the Auto-rotate key checkbox to enable automatic rotation of the TDE protector to the latest key version in your key vault.
  7. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each SQL database server available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run sql server tde-key set command (Windows/macOS/Linux) using the ID of the Azure SQL database server that you want to reconfigure as the identifier parameter to configure Transparent Data Encryption (TDE) to use a Customer-Managed Key (CMK) for the selected SQL database server. For example, the following command request applies an existing Customer-Managed Key (CMK), identified by the URI "<https://cc-customer-vault.vault.azure.net/keys/cc-managed-key/01234123412341234123412341234123>" to an SQL server identified by the ID "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-project5-sql-server": 

az sql server tde-key set
  --ids /subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-project5-sql-server
  --server-key-type AzureKeyVault
  --kid https://cc-customer-vault.vault.azure.net/keys/cc-managed-key/01234123412341234123412341234123

02 The command output should return the TDE’s configuration information for the modified SQL server: 

{
	"id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-project5-sql-server/encryptionProtector/current",
	"kind": "azurekeyvault",
	"name": "current",
	"resourceGroup": "cloud-shell-storage-westeurope",

	...


	"serverKeyName": "cc-customer-vault_cc-managed-key_01234123412341234123412341234123",
	"serverKeyType": "AzureKeyVault",
	"type": "Microsoft.Sql/servers/encryptionProtector",
	"uri": "https://cc-customer-vault.vault.azure.net/keys/cc-managed-key/01234123412341234123412341234123"
}

03 Repeat steps no. 1 and 2 for each SQL database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 24, 2019

Related Sql rules