Enabling transparent data encryption (TDE) with Key Vault certificates
TypeScriptTo enable Transparent Data Encryption (TDE) with Key Vault certificates in an Azure SQL database, you will need to set up a few Azure resources. TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key. Azure Key Vault is a cloud service that provides a secure store for secrets, keys, and certificates.
Here is a step-by-step Pulumi program in TypeScript that sets up TDE using Key Vault certificates:
- Create an Azure Resource Group to organize related resources.
- Deploy an Azure Key Vault to store the encryption keys.
- Generate a Key Vault Key which will be used to protect the database encryption key.
- Deploy an Azure SQL Server.
- Deploy an Azure SQL Database within the SQL Server.
- Enable a server key in the SQL Server with a reference to the Key Vault Key.
- Set up the Transparent Data Encryption on the SQL Database with the server key.
The following program uses the
azure-native
provider which interacts directly with Azure's Resource Manager API, giving you access to the full breadth of Azure services without having to manage multiple providers.Please replace the placeholders
<key_vault_name>
,<your_sql_server_name>
,<your_database_name>
, and<key_name>
with your specific values.import * as pulumi from "@pulumi/pulumi"; import * as azure_native from "@pulumi/azure-native"; // Create an Azure Resource Group const resourceGroup = new azure_native.resources.ResourceGroup("resourceGroup"); // Deploy an Azure Key Vault const keyVault = new azure_native.keyvault.Vault("keyVault", { resourceGroupName: resourceGroup.name, properties: { sku: { family: "A", name: "standard", }, tenantId: azure_native.authorization.getClientConfig().then(config => config.tenantId), accessPolicies: [], // You can specify access policies or leave it empty }, location: resourceGroup.location, }); // Generate a Key Vault Key const key = new azure_native.keyvault.Key("key", { keyName: "<key_name>", resourceGroupName: resourceGroup.name, vaultName: keyVault.name, properties: { kty: "RSA", keySize: 2048, // Key size can be 2048, 3072, or 4096 (depending on what you need) keyOps: ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"], }, }); // Deploy an Azure SQL Server const sqlServer = new azure_native.sql.Server("sqlServer", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, serverName: "<your_sql_server_name>", administratorLogin: "sqlAdmin", administratorLoginPassword: "complex-password-here!", // Replace with a strong password version: "12.0", }); // Deploy an Azure SQL Database const sqlDatabase = new azure_native.sql.Database("sqlDatabase", { databaseName: "<your_database_name>", resourceGroupName: resourceGroup.name, serverName: sqlServer.name, location: resourceGroup.location, sku: { name: "S0", }, }); // Enable a server key in the SQL Server with reference to the Key Vault Key const serverKey = new azure_native.sql.ServerKey("serverKey", { resourceGroupName: resourceGroup.name, serverName: sqlServer.name, keyName: key.name, serverKeyType: "AzureKeyVault", uri: pulumi.interpolate`${keyVault.properties.vaultUri}/keys/${key.name}/`, }); // Enable Transparent Data Encryption on the SQL Database with the server key const transparentDataEncryption = new azure_native.sql.TransparentDataEncryption("transparentDataEncryption", { resourceGroupName: resourceGroup.name, serverName: sqlServer.name, databaseName: sqlDatabase.name, transparentDataEncryptionName: "current", // "current" is the default name for TDE on Azure SQL database properties: { status: "Enabled", }, }); export const keyVaultUri = keyVault.properties.vaultUri; export const sqlServerFqdn = sqlServer.fullyQualifiedDomainName; export const sqlDatabaseId = sqlDatabase.id;
This program will set up the necessary resources and enable TDE in an SQL database using a Key Vault certificate. Once you run this, your data at rest in the Azure SQL Database will be encrypted. It's advised to handle secrets, such as the Key Vault Key and SQL Server password, with caution. You may use Pulumi's config secrets or Azure Key Vault for storing sensitive information.
Remember to replace the password, server name, and other placeholder values with your actual desired settings before running this program.