SQL server's Transparent Data Encryption (TDE) protector should be encrypted with a customer-managed key

azure.sql
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

By default, the TDE protector managed by Microsoft is enabled for a SQL server, but with customer-managed key support, users gain control over Transparent Data Encryption (TDE) encryption keys. This support allows for the encryption of the TDE protector with a key managed by the data owner, providing increased transparency and control. Azure Key Vault, a cloud-based key store, offers central key management and the use of hardware security modules (HSMs) for enhanced security. When deploying customer-managed keys, it is essential to have an automated toolset for key management, including discovery and rotation, and to store the keys in an HSM or hardware-backed keystore. Additionally, it is recommended to check with your cryptographic key provider for any available add-ons or toolsets related to key management.

Remediation

From the console

  1. Go to SQL servers.
  2. For your server instance, click Transparent data encryption.
  3. Set Transparent data encryption to Customer-managed key.
  4. Browse through your key vaults to select an existing key or create a new key in the Azure Key Vault.
  5. Check Make selected key the default TDE protector.