Share via

Encryption on master database on Azure SQL Database

Tom 231 Reputation points
2026-03-02T16:39:08.3233333+00:00

I'm using a tool to check for ISO-27001 compliance for a cloud application architecture on Azure. It has flagged that the master database on an Azure SQL server does not have transparent data encryption (TDE) turned on. According to Microsoft's documentation

TDE can't be used to encrypt system databases, such as the master database, in SQL Database and SQL Managed Instance. The master database contains objects that are needed to perform TDE operations on user databases. It's recommended not to store any sensitive data in system databases. The exception is tempdb, which is always encrypted by a special asymmetric key owned by Microsoft. This is by design and ensures that temporary objects are protected.

Is this issue something that should be ignored or is there an alternative to TDE that should be used?

Azure SQL Database
Answer accepted by question author
  1. Pilladi Padma Sai Manisha 4,990 Reputation points Microsoft External Staff Moderator
    2026-03-02T17:20:04.6233333+00:00

    Hi Tom,
    Thankyou fro reaching microsoft Q&A!
    This behavior is expected and by design in Azure SQL Database.

    Transparent Data Encryption (TDE) cannot be enabled on system databases such as the master database. Microsoft manages encryption of system databases at the platform level, and customers do not have the ability to configure TDE on them. This is documented product behavior and does not represent a security gap.

    In Azure SQL Database:

    TDE is automatically enabled for all user databases.

    The master database is a system database and is not intended to store application or sensitive business data.

    Encryption at rest is enforced by the Azure platform as part of Microsoft’s shared responsibility model.

    tempdb is always encrypted automatically.

    Compliance tools sometimes flag this because they apply generic SQL Server checks that do not account for Azure PaaS architecture. However, this configuration is compliant and aligned with Microsoft’s security design.

    Therefore, this finding can be considered informational and does not require remediation.

    1 person found this answer helpful.
    0 comments
Answer accepted by question author
  1. Erland Sommarskog 132.9K Reputation points
    2026-03-02T17:02:33.9266667+00:00

    For now you need to ignore the recommendation from the tool, since there is no way to encrypt master. The risk is of course than an IT auditor with poor understanding of Azure will insist on that master should be encrypted. In that case, you need to show the documentation right in the face of the auditor.

    Note also what that excerpt says: You should absolutely not put any sensitive information in master. (Although, you may store the name of logins there, and that could be considered sensitive PII.)

    If there would be a big push in general from auditors, I guess Microsoft will come up with something.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-02T16:39:22.3166667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The recommendation must not be ignored. It reflects a fundamental design constraint of Azure SQL Database and SQL Managed Instance.

    Key points:

    1. System databases (including master) cannot be encrypted with TDE
      • TDE cannot be used to encrypt system databases such as master in Azure SQL Database and Azure SQL Managed Instance because master holds the objects and keys needed to perform TDE operations on user databases.
      • This is by design and is documented behavior, not a misconfiguration.
    2. Security expectation for master
      • Because master cannot be encrypted with TDE, the security guidance is to avoid storing any sensitive data in system databases.
      • For data that requires encryption at rest, use user databases where TDE is supported and, for newly created Azure SQL databases, enabled by default.
    3. Exception for tempdb
      • tempdb is always encrypted by a special asymmetric key owned by Microsoft to ensure temporary objects are protected.
    4. Compliance tooling considerations
      • A generic ISO-27001 or security scanner that flags master as “not TDE-encrypted” is not Azure-aware in this respect. The correct response is to document this as an accepted design constraint of the platform, with a compensating control: no sensitive data in master, and TDE enabled on all user databases that store sensitive data.
    5. Best practice
      • Ensure TDE remains enabled on all user databases that store sensitive data.
      • Explicitly document in the security and compliance artifacts that master is intentionally not TDE-encrypted by design and that sensitive data is prohibited there.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.