Infrastructure double encryption for PostgreSQL Database Server should be enabled

Description

It is recommended to enable ‘infrastructure encryption’ when creating Azure Database for PostgreSQL servers. This additional layer of encryption occurs at the hardware level, ensuring that data is encrypted even before it is accessed. This prevents interception of data in motion and protects data at rest in system resources. Enabling ‘infrastructure encryption’ also secures database backups. To achieve the highest level of security, it is advised to use a Customer Managed asymmetric RSA 2048 bit key stored in Azure Key Vault for key-based encryption.

Remediation

From the console

Note: It is not possible to enable ‘infrastructure encryption’ on an existing Azure Database for PostgreSQL server.

The remediation steps detail the creation of a new Azure Database for PostgreSQL server with ‘infrastructure double encryption’ enabled.

  1. Follow the normal process of database creation.
  2. Under Additional settings, ensure that infrastructure double encryption enabled is checked.
  3. Finish database creation as normal.