Skip to content

Commit 6002e8e

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #35431 from Pietervanhove/patch-12
Specify AES 256 in CBC mode for TDE encryption
2 parents deb92da + f794de0 commit 6002e8e

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

azure-sql/database/transparent-data-encryption-tde-overview.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ For Azure SQL Database and Azure Synapse, the TDE protector is set at the [serve
3737
3838
## Service-managed transparent data encryption
3939

40-
In Azure, the default setting for TDE is that the DEK is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256. If a database is in a geo-replication relationship, both the primary and geo-secondary databases are protected by the primary database's parent server key. If two databases are connected to the same server, they also share the same built-in certificate. Microsoft automatically rotates these certificates once a year, in compliance with the internal security policy, and the root key is protected by a Microsoft internal secret store. Customers can verify SQL Database and SQL Managed Instance compliance with internal security policies in independent third-party audit reports available on the [Microsoft Trust Center](https://servicetrust.microsoft.com/).
40+
In Azure, the default setting for TDE is that the DEK is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256 in Cipher Block Chaining (CBC) mode. If a database is in a geo-replication relationship, both the primary and geo-secondary databases are protected by the primary database's parent server key. If two databases are connected to the same server, they also share the same built-in certificate. Microsoft automatically rotates these certificates once a year, in compliance with the internal security policy, and the root key is protected by a Microsoft internal secret store. Customers can verify SQL Database and SQL Managed Instance compliance with internal security policies in independent third-party audit reports available on the [Microsoft Trust Center](https://servicetrust.microsoft.com/).
4141

4242
Microsoft also seamlessly moves and manages the keys as needed for geo-replication and restores.
4343

0 commit comments

Comments
 (0)