Plugin Title TDE Protector Encrypted
Cloud AZURE
Category SQL Server
Description Ensures SQL Server TDE protector is encrypted with BYOK (Bring Your Own Key)
More Info Enabling BYOK in the TDE protector allows for greater control and transparency, as well as increasing security by having full control of the encryption keys.
AWS Link https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql
Recommended Action Ensure that a BYOK key is set for the Transparent Data Encryption of each SQL Server.


Detailed Remediation Steps

  1. Log into the Microsoft Azure Management Console.
  2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
  3. On the "SQL server" page, select the SQL server that needs to be examine.
  4. On the selected "SQL server" page, scroll down the left navigation panel and select "Transparent data encryption" under the "Security" column.
  5. On the "Transparent data encryption" page, if "Use your own key" is set to "NO" then the selected "SQL server TDE protector" is not encrypted with BYOK (Bring Your Own Key).
  6. Repeat steps number 2 - 5 to verify other "SQL servers" in the account.
  7. Navigate to "SQL servers", on the "SQL servers" page select the "SQL server", scroll down the left navigation panel and choose "Transparent data encryption" under the "Security."
  8. On the "Transparent data encryption" page, click on the "Yes" button next to the "Use your own key". Select the "Key vault" and "Key" accordingly. Click on the checkbox next to "Make the selected key the default TDE protector."
  9. Click on the "Save" button at the top to make the changes.
  10. Reepat steps number 7 - 9 to ensure that a BYOK key is set for the Transparent Data Encryption of each SQL Server.

Want to scan for this risk automatically?

Get Started Now