last sync: 2025-Apr-29 17:16:02 UTC

[Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest
Id 0d134df8-db83-46fb-ad72-fe0c9428c8dd
Version 2.0.1-deprecated
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.1 (2.0.1-deprecated)
Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Assessment(s) Assessments count: 1
Assessment Id: 1a93e945-3675-aef6-075d-c661498e1046
DisplayName: [Enable if required] SQL servers should use customer-managed keys to encrypt data at rest
Description: Using customer-managed keys for encrypting data at rest provides increased transparency, control, and security.
This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements.
If not enabled, the data will be encrypted using platform-managed keys.
This is particularly relevant for organizations with related compliance requirements.
To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope.

Remediation description: To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql
Categories: Data
Severity: Low
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated True
Reference Reference to 1 related Policy definition (taken from description)
SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Sql/servers/encryptionProtector/serverKeyType Microsoft.Sql servers/encryptionProtector properties.serverKeyType True False
Microsoft.Sql/servers/encryptionProtector/uri Microsoft.Sql servers/encryptionProtector properties.uri True False
Rule resource types IF (1)
Compliance Not a Compliance control
Initiatives usage none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-12-06 22:17:57 change Version remains equal, new suffix: deprecated (2.0.1 > 2.0.1-deprecated)
2020-12-11 15:42:52 change Major (1.0.0 > 2.0.1)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC