Use SQL database TDE

March 21, 2025 ยท View on GitHub

SYNOPSIS

Use Transparent Data Encryption (TDE) with Azure SQL Database.

DESCRIPTION

TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.

By default, TDE is enabled for all user-defined databases.

RECOMMENDATION

Consider enabling Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.

EXAMPLES

Configure with Azure template

To deploy databases that pass this rule:

  • Configure a Microsoft.Sql/servers/databases/transparentDataEncryption sub-resource.
    • Set the properties.state to Enabled.

For example:

{
  "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
  "apiVersion": "2023-08-01-preview",
  "name": "[format('{0}/{1}/{2}', parameters('name'), parameters('name'), 'current')]",
  "properties": {
    "state": "Enabled"
  },
  "dependsOn": [
    "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]"
  ]
}

Configure with Bicep

To deploy databases that pass this rule:

  • Configure a Microsoft.Sql/servers/databases/transparentDataEncryption sub-resource.
    • Set the properties.state to Enabled.

For example:

resource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2023-08-01-preview' = {
  parent: database
  name: 'current'
  properties: {
    state: 'Enabled'
  }
}

Configure with Azure CLI

az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'

Configure with Azure PowerShell

Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled

Configure with Azure Policy

To address this issue at runtime use the following policies: