Public preview: TDE with customer managed keys on Azure SQL Hyperscale

This post has been republished via RSS; it originally appeared at: Azure SQL Database articles.

Azure SQL Transparent Data Encryption (TDE)  with customer-managed keys enables customers to control the key lifecycle management, permissions and operations of keys stored in their own Azure Key Vault. We are announcing the public preview of TDE with customer-managed keys on Azure SQL Database Hyperscale.

Quick start instructions with Azure CLI


1. Assign Azure AD identity to your server.


  • If it is a new server you are creating, then you can assign an AAD identity while creating it via az sql create
    az sql server create --name <servername> --resource-group <rgname> --location <location> --admin-user <user> --admin-password <password> --assign-identity
  • If it is an existing server can use az sql server sql server update --name <servername> --resource-group <rgname> --location <location> --admin-user <user> --admin-password <password> --assign-identity

       You will need the principalId from the commands above to be able to grant permissions in step 4. Example output is below

 "identity": {
"principalId": "bbbbbfsfs-2fde-4890-a7ce-aaaaaaaaaaa",
"tenantId": "aaaaaf-aaf1-41af-aaab-2d7cd0bbbbbb",
"type": "SystemAssigned"

2.  Create a test Hyperscale database


az sql db create --name <dbname> --server <servername> --resource-group <rgname> -e Hyperscale -f Gen5 -c 2


3. Create a Key vault in the same region as your database server and a key if you do not already have one


az keyvault create --name <keyvaultname> --resource-group <rgname> --location <location> --enable-soft-delete true az keyvault key create --name <keyname> --vault-name <keyvaultvname> --protection software


4. Grant Key vault permissions to your server Identity using the principalId from step1.


az keyvault set-policy --name <keyvaultvname> --object-id <principalID> --resource-group <rgname> --key-permissions wrapKey unwrapKey get


5. Obtain the kid from the key that was created in step 3 using the command below.


az keyvault key show --vault-name <keyvaultname> --name <keyname>


Snippet of output:

"kid": "",


6. Add the Key vault key to the server and set the TDE protector


az sql server key create --server <servername> --resource-group <rgname> --kid <keyID> az sql server tde-key set --server <servername> --server-key-type AzureKeyVault --resource-group <rgname> --kid <keyID>


7. Enable TDE at the database level. Note that the encryption could take a while depending on the database size and the tier.


az sql db tde set --database <dbname> --server <servername> --resource-group <rgname> --status Enabled


8. Check Encryption state and activity using CLI or powershell or TSQL



az sql db tde list-activity --database <dbname> --server <servername> --resource-group <rgname> # get whether encryption is on or off az sql db tde show --database <dbname> --server <servername> --resource-group <rgname>


TSQL : sys.dm_database_encryption_keys


-- encryptor_type will be ASYMMETRIC KEY SELECT database_id,encryptor_type,encryption_state, encryption_scan_state,percent_complete key_algorithm, encryptor_thumbprint FROM sys.dm_database_encryption_keys WHERE database_id = DB_ID() GO


For more information please see requirements and recommendations for configuration customer-managed TDE


Azure SQL databases that have TDE with customer-managed keys on other tiers will be not able to update to Hyperscale tier and will fail with the error below:

Error message: 'The logical server is using customer managed key (AKV), switch to service managed key before moving to 'Hyperscale' edition. Update to service objective 'HS_Gen5_2' with customer managed key is not supported' for entity 'dbname'.


We will be addressing this before General availability of the feature.


Let us know your experiences as you try this out on hyperscale!

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.