AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Implement Transparent Data Encryption

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance

Configure and Manage Transparent Data Encryption

Transparent Data Encryption (TDE) is a security feature that protects your Azure SQL Database and Managed Instance by encrypting data at rest. It uses AES-256 to secure both database and log files without requiring any changes to your applications. TDE automatically encrypts data as it’s written to storage and decrypts it when read, ensuring data-at-rest protection seamlessly. By default, Azure SQL enables TDE on every new database, giving you built-in encryption from the start.

Key management in TDE follows a two-level hierarchy. The Data Encryption Key (DEK) is a symmetric key that’s encrypted by a Master Key, which can be service-managed or customer-managed. Using Bring Your Own Key (BYOK) with Azure Key Vault gives you control over key provisioning, rotation, and permissions. With BYOK, you can:

  • Store and rotate the Master Key in Azure Key Vault
  • Separate roles between security administrators and database administrators
  • Ensure centralized key management and auditability

To configure TDE with customer-managed keys, you set up an encryption protector on your logical server. Assign a user-assigned managed identity to access the Key Vault and grant it wrapKey and unwrapKey permissions. Then specify the Key Vault key identifier in the encryption protector settings. You can perform these steps via:

  • Azure Portal
  • Azure PowerShell (Set-AzSqlServerTransparentDataEncryptionProtector)
  • Azure CLI (az sql server tde-key set)

Monitoring and verifying encryption status is critical for compliance. You can check the encryption state and key usage in the Azure Portal under the Transparent Data Encryption blade. Alternatively, use PowerShell or CLI commands to retrieve TDE protector settings and status. For automated monitoring, ingest Azure Monitor logs and set alerts for any changes to the encryption protector or key expiration to maintain continuous compliance.

Conclusion

In summary, Transparent Data Encryption in Azure SQL provides automatic data-at-rest protection using AES-256 without application changes. You manage keys through a two-level hierarchy, choosing between service-managed or customer-managed options in Azure Key Vault. Configuration involves setting an encryption protector, assigning identities, and granting key permissions by using the Azure Portal, PowerShell, or CLI. Finally, regular monitoring of the encryption state and key usage via Azure Monitor ensures ongoing compliance and security.

Plan and implement dynamic maskingRecommend when to use Azure SQL Database Always Encrypted