The SQL server's Transparent Data Encryption (TDE) protector should be encrypted with a customer-managed key

Docs > Datadog Security > OOTB Rules > The SQL server's Transparent Data Encryption (TDE) protector should be encrypted with a customer-managed key

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

Transparent Data Encryption (TDE) supported by customer-managed keys provides increased transparency and control over the TDE Protector and increased security with an external service backed by hardware security modules (HSM). It also promotes separation of duties.

With TDE, data is encrypted at rest with a symmetric key (also known as the database encryption key) stored in the database or data warehouse distribution. In the past, to protect this data encryption key (DEK), only a certificate that was managed by the Azure SQL Service could be used. Now, with customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages HSMs validated by FIPS 140-2 Level 2, and allows the separation of management of keys and data for additional security.

Based on business needs or the criticality of data and databases hosted on a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (customer-managed key).

Default value

By default, the TDE protector managed by Microsoft is enabled for a SQL server.

Rationale

Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.

Impact

Once TDE protector is encrypted with a customer-managed key, it transfers the responsibility of the respective key management onto you. Hence, you must be careful about carrying out any operations on that particular key. Make sure data from the corresponding SQL server and the databases on that server are accessible.

When deploying customer-managed keys, it is important to ensure that you also deploy an automated toolset for managing these keys. The toolset should include discovery and key rotation. Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault.

Regarding toolsets, check with your cryptographic key provider, as they may provide one as an add-on to their service.

Remediation

From the console

Go to SQL servers.
For your server instance, click Transparent data encryption.
Set Transparent data encryption to Customer-managed key.
Browse through your key vaults to select an existing key or create a new key in the Azure Key Vault.
Check Make selected key the default TDE protector.

From the command line

Use the below command to encrypt the SQL server’s TDE protector with a customer-managed key:

az sql server tde-key set --resource-group <resourceName> --server <dbServerName> --server-key-type {AzureKeyVault} --kid <keyIdentifier>

Using PowerShell

Use the below command to encrypt the SQL server’s TDE protector with a customer-managed Key Vault key:

Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId <KeyIdentifier> -ServerName <ServerName> -ResourceGroupName <ResourceGroupName>

Select Y when prompted.