SQL server's Transparent Data Encryption (TDE) protector should be encrypted with a customer-managed key

azure.sql
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

By default, the TDE protector managed by Microsoft is enabled for a SQL server, but with customer-managed key support, users gain control over Transparent Data Encryption (TDE) encryption keys. This support allows for the encryption of the TDE protector with a key managed by the data owner, providing increased transparency and control. Azure Key Vault, a cloud-based key store, offers central key management and the use of hardware security modules (HSMs) for enhanced security. When deploying customer-managed keys, it is essential to have an automated toolset for key management, including discovery and rotation, and to store the keys in an HSM or hardware-backed keystore. Additionally, it is recommended to check with your cryptographic key provider for any available add-ons or toolsets related to key management.

Remediation

From the console

  1. Go to SQL servers.
  2. For your server instance, click Transparent data encryption.
  3. Set Transparent data encryption to Customer-managed key.
  4. Browse through your key vaults to select an existing key or create a new key in the Azure Key Vault.
  5. Check Make selected key the default TDE protector.