Query: SQL servers should use customer-managed keys to encrypt data at rest

Description

Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.

Query

Tables used in this query:

• azure_sql_server
• azure_subscription

Controls using this query:

• 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key
• 4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key
• 5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• SQL servers should use customer-managed keys to encrypt data at rest

SQL