Azure CLI script to enable transparent data encryption using your own key

Applies to: Azure SQL Managed Instance

This Azure CLI script example configures transparent data encryption (TDE) in Azure SQL Managed Instance, using a customer-managed key from Azure Key Vault. This is often referred to as a bring-your-own-key (BYOK) scenario for TDE. To learn more about TDE with customer-managed key, see TDE Bring Your Own Key to Azure SQL.

This sample requires an existing managed instance, see Use Azure CLI to create an Azure SQL Managed Instance.

If you don't have an Azure subscription, create an Azure free account before you begin.

Prerequisites

Sample script

For this script, use Azure CLI locally as it takes too long to run in Cloud Shell.

Sign in to Azure

Use the following script to sign in using a specific subscription.

subscription="<subscriptionId>" # add subscription here

az account set -s $subscription # ...or use 'az login'

For more information, see set active subscription or log in interactively

Run the script

# Manage Transparent Data Encryption in a Managed Instance using your own key from Azure Key Vault

# Run this script after the script in https://docs.microsoft.com/azure/azure-sql/managed-instance/scripts/create-configure-managed-instance-cli creates a managed instance.
# You can use the same variables in both scripts/
# If running this script against a different existing instance, uncomment and add appropriate values to next 3 lines of code
# let "randomIdentifier=$RANDOM*$RANDOM"
# instance="<msdocs-azuresql-instance>" # add instance here
# resourceGroup="<msdocs-azuresql-rg>" # add resource here

# Variable block
location="East US"
vault="msdocssqlvault$randomIdentifier"
key="msdocs-azuresql-key-$randomIdentifier"

# echo assigning identity to service principal in the instance
az sql mi update --name $instance --resource-group $resourceGroup --assign-identity

echo "Creating $vault..."
az keyvault create --name $vault --resource-group $resourceGroup --location "$location"

echo "Getting service principal id and setting policy on $vault..."
instanceId=$(az sql mi show --name $instance --resource-group $resourceGroup --query identity.principalId --output tsv)

echo $instanceId
az keyvault set-policy --name $vault --object-id $instanceId --key-permissions get unwrapKey wrapKey

echo "Creating $key..."
az keyvault key create --name $key --vault-name $vault --size 2048 

# keyPath="C:\yourFolder\yourCert.pfx"
# keyPassword="yourPassword" 
# az keyvault certificate import --file $keyPath --name $key --vault-name $vault --password $keyPassword

echo "Setting security on $instance with $key..."
keyId=$(az keyvault key show --name $key --vault-name $vault -o json --query key.kid | tr -d '"')

az sql mi key create --kid $keyId --managed-instance $instance --resource-group $resourceGroup
az sql mi tde-key set --server-key-type AzureKeyVault --kid $keyId --managed-instance $instance --resource-group $resourceGroup

Clean up resources

Use the following command to remove the resource group and all resources associated with it using the az group delete command - unless you have an ongoing need for these resources. Some of these resources may take a while to create, as well as to delete.

az group delete --name $resourceGroup

Sample reference

This script uses the following commands. Each command in the table links to command specific documentation.

Command Description
az sql db Database commands.
az sql failover-group Failover group commands.

Next steps

For more information on Azure CLI, see Azure CLI documentation.

Additional SQL Database CLI script samples can be found in the Azure SQL Database documentation.