DEV Community


Posted on

Azure Transparent Data Encryption

Azure Transparent Data Encryption or TDE is a technique of encrypting data at rest, mainly database files, at the file level. This solves the problem of protecting the data at rest. This performs real-time encryption and decryption of the data, their associated backups, and the log files without any change in the application codebase. This concept is applicable for SQL Database, SQL Managed Instance and Azure Synapse Analytics.

TDE is called transparent because the authorized users of the database do not need to create any macros or any special configuration to be able to access the data.

TDE performs the encryption and decryption of data at the page level whereby each page is decrypted as its read into the memory and is encrypted again as its being written in to the disk. The encryption happens using a Symmetric Key known as Database Encryption Key(DEK). The DEK is a symmetric AES256 key. This key is further encrypted using the Key Encryption Key(KEK). As the database starts the KEK decrypts the DEK and is then used to decrypt and re-encrypt the database files in the SQL Server database engine. The DEK is further protected by TDE Protector which is set at the server level and is inherited by all the databases on the specific server. The TDE protector is either a service-managed certificate (service-managed transparent data encryption) or an asymmetric key stored in Azure Key Vault (customer-managed transparent data encryption).

All the newly created databases are encrypted by using service managed TDE by default. SQL Databases created before May 2017 are not encrypted. Similarly, existing SQL Managed Instance databases created before February 2019 are not encrypted by default.

TDE cannot be used to encrypt system databases, for instance the master database, in Azure SQL DB and Azure SQL MI. This database contains the objects that are needed to perform the TDE operations on the user’s databases. To overcome this, Azure provides a feature called Infrastructure Encryption which encrypts the system databases including the master.

Microsoft Doc

Discussion (0)