Lab
A Cloud Guru

Enabling Always Encrypted in Azure SQL

You are assuming the role of a cloud data engineer. You’ve been asked to ensure customer data is always encrypted at rest. Staff such as administrators and backup operators should not have access to customer data, even when using tools like SQL Server Management Studio. The unencrypted data should only be available to the application. In this hands-on lab, you will create an Azure SQL database and an Azure Key Vault, encrypt data using SQL Server Management Studio (SSMS), and view encryption results.

Try for free Contact sales

Path Info

Level

Advanced

Duration

45m

Published

Nov 19, 2021

Challenge

Create a SQL Server and SQL Database
Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.
1. Create a single SQL database.
  - The database name can be anything (sampleDB1, in this example).
2. Create a new server.
  - The server name can be anything unique (sqlsvr#####, in this example).
    
    Note: It's recommended to append a random five- or six-digit number at the end of the server name.
  - The username and password for the virtual machine can be used for the server admin.
  - Ensure Allow Azure services to access server is checked.
  - Change Compute + storage to Standard, 200 DTUs (or a Standard S04 server).
  - On the Additional settings screen:
    
    Under Data Source, select Sample.
    
    Set Enable Advanced Data Security to Not now.
Challenge

Create an Azure Key Vault
Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.
1. Create an Azure Key Vault.
  - The key vault name can be anything unique (kv#####, in this example).
    
    Note: It's recommended to append a random five- or six-digit number at the end of the vault name.
2. On the Access policy screen, in the Key Permissions column, select all permissions except for Purge, Release, Rotate, Get Rotation Policy, and Set Rotation Policy for the logged-in lab user.
Challenge

Use RDP to Connect to the Virtual Machine
1. Download and install an RDP client.
  - Windows: Use the Remote Desktop client available to Windows clients natively.
  - MacOS: Microsoft Remote Desktop
  - Linux: Remmina
2. In the Azure portal, browse to the VM and take down the public IP address of the server from the Overview tab in the server blade, or use the details from the lab.
3. Connect to the server via RDP and log in using the credentials provided.
4. On the virtual machine, use the Internet Options to lower the security of IE or install Microsoft Edge, and set it as the default browser. (The two options work around a bug when using the encryption wizard later.)
Challenge

Connect to SQL Server and Encrypt Some Data
1. Connect to SQL Server.
2. Change the Authentication type to SQL Server Authentication.
3. Connect using the credentials provided earlier.
  
  Note: If you are prompted to log in to Azure, use the provided lab credentials.
4. Browse to Databases > sampledb1 > Tables > and right-click on SalesLT.Customer.
5. Select Encrypt Columns.
6. Enable Always Encrypted via the wizard.
7. Select the FirstName, MiddleName, and LastName columns, and set all three to use Deterministic encryption.
8. Store the key in Azure Key Vault (log in with the Azure lab credentials).

Author

A Cloud Guru

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.