You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sql-database/transparent-data-encryption-byok-azure-sql.md
+4-5Lines changed: 4 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,14 +4,13 @@ description: "Bring Your Own Key (BYOK) support for Transparent Data Encryption
4
4
services: sql-database
5
5
ms.service: sql-database
6
6
ms.subservice: security
7
-
ms.custom: seo-lt-2019
7
+
ms.custom: seo-lt-2019, azure-synapse
8
8
ms.devlang:
9
9
ms.topic: conceptual
10
10
author: jaszymas
11
11
ms.author: jaszymas
12
12
ms.reviewer: vanto
13
-
ms.date: 02/12/2020
14
-
ms.custom: azure-synapse
13
+
ms.date: 03/18/2020
15
14
---
16
15
# Azure SQL Transparent Data Encryption with customer-managed key
17
16
@@ -68,7 +67,7 @@ Auditors can use Azure Monitor to review key vault AuditEvent logs, if logging i
68
67
69
68
- Key vault and SQL Database/managed instance must belong to the same Azure Active Directory tenant. Cross-tenant key vault and server interactions are not supported. To move resources afterwards, TDE with AKV will have to be reconfigured. Learn more about [moving resources](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-move-resources).
70
69
71
-
-[Soft-delete](https://docs.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete) feature must be enabled on the key vault, to protect from data loss accidental key (or key vault) deletion happens. Soft-deleted resources are retained for 90 days, unless recovered or purged by the customer in the meantime. The *recover* and *purge* actions have their own permissions associated in a key vault access policy. Soft-delete feature is off by default and can be enabled via [Powershell](https://docs.microsoft.com/azure/key-vault/key-vault-soft-delete-powershell#enabling-soft-delete) or [CLI](https://docs.microsoft.com/azure/key-vault/key-vault-soft-delete-cli#enabling-soft-delete). It cannot be enabled via Azure portal.
70
+
-[Soft-delete](https://docs.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete) feature must be enabled on the key vault, to protect from data loss accidental key (or key vault) deletion happens. Soft-deleted resources are retained for 90 days, unless recovered or purged by the customer in the meantime. The *recover* and *purge* actions have their own permissions associated in a key vault access policy. Soft-delete feature is off by default and can be enabled via [PowerShell](https://docs.microsoft.com/azure/key-vault/key-vault-soft-delete-powershell#enabling-soft-delete) or [CLI](https://docs.microsoft.com/azure/key-vault/key-vault-soft-delete-cli#enabling-soft-delete). It cannot be enabled via Azure portal.
72
71
73
72
- Grant the SQL Database server or managed instance access to the key vault (get, wrapKey, unwrapKey) using its Azure Active Directory identity. When using Azure portal, the Azure AD identity gets automatically created. When using PowerShell or CLI, the Azure AD identity must be explicitly created and completion should be verified. See [Configure TDE with BYOK](transparent-data-encryption-byok-azure-sql-configure.md) and [Configure TDE with BYOK for Managed Instance](https://aka.ms/sqlmibyoktdepowershell) for detailed step-by-step instructions when using PowerShell.
74
73
@@ -94,7 +93,7 @@ Auditors can use Azure Monitor to review key vault AuditEvent logs, if logging i
94
93
95
94
- Enable auditing and reporting on all encryption keys: Key vault provides logs that are easy to inject into other security information and event management tools. Operations Management Suite [Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-azure-key-vault) is one example of a service that is already integrated.
96
95
97
-
- Link each server with two key vaults that reside in different regions and hold the same key material, to ensure high availability of encrypted databases. Mark only the key from the key vault in the same region as a TDE protector. System will use
96
+
- Link each server with two key vaults that reside in different regions and hold the same key material, to ensure high availability of encrypted databases. Mark only the key from the key vault in the same region as a TDE protector. System will automatically switch to the key vault in the remote region if there is an outage affecting the key vault in the same region.
98
97
99
98
### Recommendations when configuring TDE protector
100
99
- Keep a copy of the TDE protector on a secure place or escrow it to the escrow service.
0 commit comments