Jump to content
Free PC Help Forum
Logging In to Free PC Help Forum Has Changed

Enabling TDE on Azure SQL DB Server using Python

Guest Yochanan_Rachamim

By Guest Yochanan_Rachamim
in Microsoft Support & Discussions

 Share

Recommended Posts

Guest Yochanan_Rachamim

Guest Yochanan_Rachamim

Posted
Posted

Purpose:

 

 

Example of how-to set up TDE using BYOK on Azure SQL Database Server using Python code.

 

setting up TDE using BYOK is made of two steps.

 

step 1 - adding server key.

 

step 2 - applying the server key as encryption protector.

 

 

you may add more than one server key, but just one can be the encryption protector which will be used for TDE.

 

Adding additional keys allows you to migrate databases from other servers that were encrypted with other keys.

 

When a database first arrives on the server, the server key will be used to decrypt the database, then it will be encrypted by using the encryption protector.

 

 

Example:

 

 

 

 

 

 

 

 

# Pre prerequisites:

# pip install azure-mgmt-sql

# pip install python-dateutil

# pip install azure-identity

# pip install azure-mgmt-resource>=18.0.0

 

# More examples can be found here:

# azure-samples-python-management/manage_server_key.py at main · Azure-Samples/azure-samples-python-management

 

from azure.identity import AzureCliCredential

from azure.mgmt.sql import SqlManagementClient

from azure.mgmt.sql.models import ServerKey, EncryptionProtector

 

def main():

 

#Setting Variables - update the values to match your environment.

SUBSCRIPTION_ID = ""

GROUP_NAME = ""

SERVER = ""

 

#server key format must be as follows: YourVaultName_YourKeyName_YourKeyVersion

SERVER_KEY = "x_y_z"

 

KeyType="AzureKeyVault"

KeyURI="https://<KeyVaultName>.vault.azure.net/keys/<KeyName>/<KeyVersion>" # get URI from your key vault

 

 

print("Start...")

 

print("Create SqlManagementClientInstance")

sql_client = SqlManagementClient(

credential=AzureCliCredential(), # I am using current CLI credentials, use az login to login with your account.

subscription_id=SUBSCRIPTION_ID

)

 

#Set TDE server key object so we can apply it to a server

tde = ServerKey(

server_key_type=KeyType,

uri=KeyURI

)

 

server_key = sql_client.server_keys.begin_create_or_update(

GROUP_NAME,

SERVER,

SERVER_KEY,

tde

).result()

 

print("Attempt to apply the server key as encryption protector... ")

sql_client.encryption_protectors.begin_create_or_update(

GROUP_NAME,

SERVER,

"current",

{

"server_key_name":SERVER_KEY,

"server_key_type":KeyType

}

)

 

print("Done")

 

if __name__ == "__main__":

main()

 

 

 

 

 

 

 

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...