Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
Why This Matters
Transparent Data Encryption (TDE) protects your SQL data at rest, but when only a service-managed certificate protects the encryption key, you lack visibility and control over who can access that key. By using a customer-managed key stored in Azure Key Vault, you enforce separation of duties, gain full control over key rotation and access policies, and meet compliance requirements for sensitive or regulated data. Without this control, a compromised service-level key could expose all encrypted databases under that server.
What Aether365 Checks
Aether365 verifies that each Azure SQL Server has its TDE protector encrypted with a customer-managed key stored in Azure Key Vault, not with a service-managed certificate. This check appears in your Aether365 dashboard under the azure-sql-server checks section.