Validating data encryption for Azure Database for MySQL
APPLIES TO: Azure Database for MySQL - Single Server
Azure Database for MySQL - Single Server is on the retirement path. We strongly recommend for you to upgrade to Azure Database for MySQL - Flexible Server. For more information about migrating to Azure Database for MySQL - Flexible Server, see What's happening to Azure Database for MySQL Single Server?
This article helps you validate that data encryption using customer managed key for Azure Database for MySQL is working as expected.
Check the encryption status
If you want to verify that the customer's key is used for encryption, follow these steps:
In the Azure portal, navigate to the Azure Key Vault -> Keys
Select the key used for server encryption.
Set the status of the key Enabled to No.
After some time (~15 min), the Azure Database for MySQL server Status should be Inaccessible. Any I/O operation done against the server will fail which validates that the server is indeed encrypted with customers key and the key is currently not valid.
In order to make the server Available against, you can revalidate the key.
Set the status of the key in the Key Vault to Yes.
On the server Data Encryption, select Revalidate key.
After the revalidation of the key is successful, the server Status changes to Available.
On the Azure portal, if you can ensure that the encryption key is set, then data is encrypted using the customers key used in the Azure portal.
We can use az CLI command to validate the key resources being used for the Azure Database for MySQL server.
az mysql server key list --name '<server_name>' -g '<resource_group_name>'
For a server without Data encryption set, this command results in empty set .
Azure audit reports
Audit Reports can also be reviewed that provides information about the compliance with data protection standards and regulatory requirements.
To learn more about data encryption, see Azure Database for MySQL data encryption with customer-managed key.