如何检查 TDE 是否已启用并在 Azure Sql 数据库中工作

How to check that TDE is enabled and working in Azure Sql Database

据我从 Microsoft 的文档中了解到,TDE 默认情况下处于启用状态并自动管理(如果不选择 BYOK 选项)。作为对服务器有管理权限的用户,我可以通过MSSM Studio看到我想要的所有数据。

虽然我确实看到在进入 Azure 门户时创建的每个数据库都启用了 TDE,但有什么方法可以让我看到加密形式的数据,只是为了检查它是否真的加密了?

此外,如果使用默认选项而不是 BYOK 选项,这是否意味着一切都为我管理,我可以放心我的数据库始终受到保护而无需我做任何事情?

您实际上无法按原样查看加密数据。如果您有权查看数据,您将始终获得解密数据。

是的,如果默认选择 TDE,我的 MS 将由 TDE 管理。

来自 MS 文档:Service-managed transparent data encryption

In Azure, the default setting for TDE is that the DEK is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256. If a database is in a geo-replication relationship, both the primary and geo-secondary databases are protected by the primary database's parent server key. If two databases are connected to the same server, they also share the same built-in certificate. Microsoft automatically rotates these certificates in compliance with the internal security policy and the root key is protected by a Microsoft internal secret store. Customers can verify SQL Database and SQL Managed Instance compliance with internal security policies in independent third-party audit reports available on the Microsoft Trust Center.