Ensure Data Encryption is Enabled on SQL Server on Azure
Data encryption is a good practice for securing data. It protects against unauthorized access by encrypting a database's files and log files, which prevents even administrators from accessing the data. When encryption is enabled on SQL Server on Azure, your data is protected at-rest and in motion—from the time it’s written to disk until it’s read back by users or applications.
Verify the encryption setting
The encryption setting is not enabled by default in Azure SQL Database, so you need to enable it. For details on how to enable the setting and change its value, see [How to: Enable Always Encrypted](https://docs.microsoft.com/en-us/sql/relational-databases/sql-database/sql-database-features?view=sql-server-2017).
The encryption setting is enabled by default in Azure SQL Managed Instance, so you don't need to configure anything. For information about how Always Encrypted works with Azure SQL Managed Instance see [Always Encrypted for Managed Instances](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed?view=azuremd).
The encryption setting is enabled by default in Azure SQL Data Warehouse (SQL DW), so you don't need to configure anything or make any changes unless you want different behavior for your database or table than what's provided out of box
Enable data encryption on your SQL Server database.
In order to ensure data encryption is enabled on your SQL Server database, you must enable the following:
- Data encryption for the entire database.
- Database encryption for the entire database.
- Encrypting the database with a certificate.
To configure these settings for SQL Server on Azure:
Go to your Azure portal, and then select SQL Databases from your left menu. Select a specific server that you want to enable data encryption on, and then click Encryption Settings from its menu options at the top of the page. In this new page that appears in your browser window, click Manage Keys & Certificates under "Encryption Settings & Keys."
This will take you to the Azure Key Vault page, which lists all of your Azure keys. Click the "Add" button under "Encryption Keys," and then select a certificate that has been issued by an authority such as Verisign.
Verify encryption for SQL database in Azure
- To verify encryption for a SQL database in Azure, you can use the following steps:
- Open the Azure portal and sign-in with your credentials.
- Click Data + Storage > Database on the left navigation bar.
- Select the database that you want to verify encryption for from the list of databases.
As you can see, there are several different ways to enable data encryption on your SQL Server database. In this article, we covered the methods of using Transparent Data Encryption and Always Encrypted with Azure Key Vault. We also discussed how SQL Server uses HSM for key management and how it's a good idea to keep your keys in an Azure Key Vault so that they're not available locally on any machine where they could be stolen. The last section talked about how you can use Azure Backup to make sure that your backup files will always be encrypted as well. For more information, check out our website, www.cloudmatos.com to see how CloudMatos can help you.