|   Trend Micro Cloud One™
Open menu

Use BYOK for Transparent Data Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 03 February 2020
Risk level: Medium (should be achieved)

Ensure that your Microsoft Azure SQL server's Transparent Data Encryption protector (i.e. TDE master key) is encrypted with BYOK (Bring Your Own Key) in order to protect your SQL databases with a key from your own Azure key vault.

Security

Bring Your Own Key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access these keys and when. Azure Key Vault – a cloud-based external key management system developed by Microsoft Azure is the first key management service where the SQL Transparent Data Encryption has integrated support for Bring Your Own Key (BYOK). With BYOK, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the SQL server level and inherited by all databases created on that server.

Audit

To determine if BYOK is used for your Azure SQL server's Transparent Data Encryption (TDE), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select SQL server to list only the SQL servers available in your Azure account.

04 Click on the name of the SQL database server that you want to examine.

05 In the navigation panel, under Security, select Transparent data encryption to access the encryption settings for the selected Azure SQL server.

06 On the Transparent data encryption configuration page, check the Use your own key configuration setting status. If the current status is set to No, the Transparent Data Encryption (TDE) feature is using a service-managed key instead of a customer-managed key (also known as Bring Your Own Key - BYOK) for the selected Microsoft Azure SQL server.

07 Repeat steps no. 4 – 6 for each SQL database server provisioned in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run sql server list command (Windows/macOS/Linux) using custom query filters to list the identifier for each SQL server available in the current Azure subscription:

az sql server list 
	--query '[*].id'

02 The command output should return the requested SQL server identifiers:

[
"/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-project5-sql-server",
"/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-ms-azure-sql-server"
]

03 Run sql server tde-key show command (Windows/macOS/Linux) using the name of the Azure SQL server that you want to examine as identifier parameter and custom query filters to expose the type of the encryption key used by Transparent Data Encryption for the selected SQL server:

az sql server tde-key show
	--ids /subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-project5-sql-server
	--query 'serverKeyType'

04 The command output should return the type of the encryption protector (key) used for the selected server:

"ServiceManaged"

If the sql server tde-key show command output returns "ServiceManaged", as shown in the example above, the Transparent Data Encryption (TDE) feature is using a service-managed key instead of a customer-managed key (i.e. BYOK) for the selected Microsoft Azure SQL database server.

05 Repeat step no. 3 and 4 for each SQL database server provisioned in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To configure Transparent Data Encryption (TDE) feature to encrypt your Azure SQL database servers to use your own customer-managed key (BYOK), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select SQL server to list only the SQL servers available in your Azure account.

04 Click on the name of the SQL server that you want to reconfigure (see Audit section part I to identify the right SQL resource).

05 In the navigation panel, under Security, select Transparent data encryption to access the encryption settings for the selected Azure SQL server.

06 On the Transparent data encryption configuration page, perform the following actions:

  1. Select Yes under Use your own key to initiate the customer-managed key configuration process.
  2. Click on the Key vault link and select the encryption key vault that holds the key.
  3. Click on the Key link and select an existing customer-managed key that you want to use as TDE protector for the select server. If you need to create a new encryption key, click on the Create a new key button and use the default configuration settings provide by Microsoft Azure to create a new customer-managed key.
  4. Select Make the selected key the default TDE protector checkbox to set the selected customer-managed key as default key for the Transparent Data Encryption (TDE) protector.
  5. Click Save to apply the TDE configuration changes.

07 Repeat steps no. 4 – 6 for each SQL database server available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run sql server tde-key set command (Windows/macOS/Linux) using the ID of the Azure SQL database server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right SQL resource) to configure Transparent Data Encryption (TDE) feature to use a customer-managed key (i.e. Bring Your Own Key - BYOK) for the selected SQL database server. For example, the following command request configures an existing customer-managed key, identified by the URI "https://cc-customer-vault.vault.azure.net/keys/cc-managed-key/01234123412341234123412341234123":

az sql server tde-key set
	--ids /subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-webapp-sql-server
	--server-key-type AzureKeyVault
	--kid https://cc-customer-vault.vault.azure.net/keys/cc-managed-key/01234123412341234123412341234123

02 The command output should return the TDE’s configuration metadata for the selected server:

{
  "id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/cc-webapp-sql-server/encryptionProtector/current",
  "kind": "azurekeyvault",
  "name": "current",
  "resourceGroup": "cloud-shell-storage-westeurope",
 
  ...
  
  "serverKeyName": "cc-customer-vault_cc-managed-key_01234123412341234123412341234123",
  "serverKeyType": "AzureKeyVault",
  "type": "Microsoft.Sql/servers/encryptionProtector",
  "uri": "https://cc-customer-vault.vault.azure.net/keys/cc-managed-key/01234123412341234123412341234123"
}

03 Repeat step no. 1 and 2 for each SQL database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 24, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Use BYOK for Transparent Data Encryption

Risk level: Medium