Configure geo replication and backup restore for transparent data encryption with database level customer-managed keys

Applies to: Azure SQL Database

Note

Database Level TDE CMK is available for Azure SQL Database (all SQL Database editions). It is not available for Azure SQL Managed Instance, SQL Server on-premises, Azure VMs, and Azure Synapse Analytics (dedicated SQL pools (formerly SQL DW)).

In this guide, we go through the steps to configure geo replication and backup restore on an Azure SQL Database. The Azure SQL Database is configured with transparent data encryption (TDE) and customer-managed keys (CMK) at the database level, utilizing a user-assigned managed identity to access Azure Key Vault. Both the Azure Key Vault and logical server for Azure SQL are in the same Microsoft Entra tenant for this guide, but they can be in different tenants.

Note

Microsoft Entra ID was previously known as Azure Active Directory (Azure AD).

Prerequisites

Note

The same guide can be applied to configure database level customer-managed keys in a different tenant by including the federated client ID parameter. For more information, see Identity and key management for TDE with database level customer-managed keys.

Important

After the database is created or restore, the Transparent Data Encryption menu in the Azure portal will show the new database with the same settings as the source database, but may have keys missing. In all cases where a new database is created from a source database, the number of keys displayed for a target database in the Azure portal Additional Database Keys list could be less than the number of keys displayed for a source database. This is because the number of displayed keys depends on individual feature requirements used to create a target database. To list all keys available for a newly create database, use the available APIs in View the database level customer-managed key settings on an Azure SQL Database.

Create an Azure SQL Database with database level customer-managed keys as a secondary or copy

Use the following instructions or commands to create a secondary replica or copy target of an Azure SQL Database configured with database level customer-managed keys. A user-assigned managed identity is required for setting up a customer-managed key for transparent data encryption during the database creation phase.

Create a database copy that has database level customer-managed keys

To create a database in Azure SQL Database as a copy with database level customer-managed keys, follow these steps:

  1. Go to the Azure portal and navigate to the Azure SQL Database configured with database level customer-managed keys. Access the Transparent Data Encryption tab of the Data Encryption menu and check the list of current keys in use by the database.

    Screenshot of the Azure portal transparent data encryption menu for a database.

  2. Create a copy of the database by selecting Copy from the Overview menu of the database.

    Screenshot of the Azure portal copy database menu.

  3. The Create SQL Database - Copy database menu appears. Use a different server for this database, but the same settings as the database you're trying to copy. In the Transparent Data Encryption Key Management section, select Configure transparent data encryption.

    Screenshot of the Azure portal copy database menu with the transparent data encryption key management section expanded.

  4. When the Transparent Data Encryption menu appears, review the CMK settings for this copy database. The settings and keys should be populated with the same identity and keys used in the source database.

  5. Select Apply to continue and then select Review + create, and Create to create the copy database.

Create a secondary replica that has database level customer-managed keys

  1. Go to the Azure portal and navigate to the Azure SQL Database configured with database level customer-managed keys. Access the Transparent Data Encryption menu and check the list of current keys in use by the database.

    Screenshot of the Azure portal transparent data encryption menu for a database.

  2. Under Data management settings for the database, select Replicas. Select Create replica to create a secondary replica of the database.

    Screenshot of the Azure portal database replica menu.

  3. The Create SQL Database - Geo Replica menu appears. Use a secondary server for this database, but the same settings as the database you're trying to replicate. In the Transparent Data Encryption Key Management section, select Configure transparent data encryption.

    Screenshot of the Azure portal database replica menu with the transparent data encryption key management section expanded.

  4. When the Transparent Data Encryption menu appears, review the CMK settings for this database replica. The settings and keys should be populated with the same identity and keys used in the primary database.

  5. Select Apply to continue and then select Review + create, and Create to create the copy database.

Restore an Azure SQL Database with database level customer-managed keys

This section walks you through the steps to restore an Azure SQL Database configured with database level customer-managed keys. A user-assigned managed identity is required for setting up a customer-managed key for transparent data encryption during the database creation phase.

Point in time restore

The following section describes how to restore a database configured with customer-managed keys at the database level to a given point in time. To learn more about backup recovery for SQL Database, see Recover a database in SQL Database.

  1. Go to the Azure portal and navigate to the Azure SQL Database configured with database level customer-managed keys that you want to restore.

  2. To restore the database to a point in time, select Restore from the Overview menu of the database.

    Screenshot of the Azure portal copy database menu.

  3. The Create SQL Database - Restore database menu appears. Fill in the source and database details needed. In the Transparent Data Encryption Key Management section, select Configure transparent data encryption.

    Screenshot of the Azure portal restore database menu with the transparent data encryption key management section expanded.

  4. When the Transparent Data Encryption menu appears, review the CMK settings for the database. The settings and keys should be populated with the same identity and keys used in the database that you're trying to restore.

  5. Select Apply to continue and then select Review + create, and Create to create the copy database.

Dropped database restore

The following section describes how to restore a deleted database that was configured with customer-managed keys at the database level. To learn more about backup recovery for SQL Database, see Recover a database in SQL Database.

  1. Go to the Azure portal and navigate to the logical server for the deleted database that you want to restore. Under Data management, select Deleted databases.

    Screenshot of the Azure portal deleted databases menu.

  2. Select the deleted database that you want to restore.

  3. The Create SQL Database - Restore database menu appears. Fill in the source and database details needed. In the Transparent Data Encryption Key Management section, select Configure transparent data encryption.

    Screenshot of the Azure portal restore database menu with the transparent data encryption key management section expanded.

  4. When the Transparent Data Encryption menu appears, configure the User-Assigned Managed Identity, Customer-Managed Key, and Additional Database Keys section for your database.

  5. Select Apply to continue and then select Review + create, and Create to create the copy database.

Geo restore

The following section describes how to restore a geo-replicated backup of database that is configured with customer-managed keys at the database level. To learn more about backup recovery for SQL Database, see Recover a database in SQL Database.

  1. Go to the Azure portal and navigate to the logical server where you want to restore the database.

  2. In the Overview menu, select Create database.

  3. The Create SQL Database menu appears. Fill Basic and Networking tabs for your new database. In Additional settings, select Backup for the Use existing data section, and select a geo-replicated backup.

    Screenshot of the Azure portal create database menu selecting a backup to use for the database.

  4. Go to the Security tab. In the Transparent Data Encryption Key Management section, select Configure transparent data encryption.

  5. When the Transparent Data Encryption menu appears, select Database level Customer-Managed Key (CMK). The User-Assigned Managed Identity, Customer-Managed Key, and Additional Database Keys must match the source database that you want to restore. Make sure the user-assigned managed identity has access to the key vault that contains the customer-managed key that was used in the backup.

  6. Select Apply to continue and then select Review + create, and Create to create the backup database.

Important

Long term retention (LTR) backups don't provide the list of keys used by the backup. To restore an LTR backup, all the keys used by the source database must be passed to the LTR restore target.

Note

The ARM template highlighted in the Create an Azure SQL Database with database level customer-managed keys as a secondary or copy section can be referenced to restore the database with an ARM template by changing the createMode parameter.

Automatic key rotation option for copied or restored databases

Newly copied or restored databases can be configured to automatically rotate the customer-managed key used for transparent data encryption. For information on how to enable automatic key rotation in the Azure portal or using APIs, see Automatic key rotation at the database level.

Next steps

Check the following documentation on various database level CMK operations: