You are assuming the role of a cloud data engineer. You’ve been asked to ensure customer data is always encrypted at rest. Staff such as administrators and backup operators should not have access to customer data, even when using tools like SQL Server Management Studio. The unencrypted data should only be available to the application. In this hands-on lab, you will create an Azure SQL database and an Azure key vault, encrypt data using SQL Server Management Studio (SSMS), and view encryption results.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create a SQL Server and SQL Database
Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.
- Create a single SQL database.
- The database name can be anything (
sampleDB1in this example).
- The database name can be anything (
- Create a new server.
- The server name can be anything unique (
sampleserver#####in this example).Note: It’s recommended to append a random five- or six-digit number at the end of the server name.
- The username and password for the virtual machine can be used for the server admin.
- Ensure Allow Azure services to access server is checked.
- Change Compute + storage to Standard, 200 DTUs (or a Standard S04 server).
- On the Additional settings screen:
- Under Data Source, select Sample.
- Set Enable Advanced Data Security to Not now.
- The server name can be anything unique (
- Create a single SQL database.
- Create an Azure Key Vault
Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.
- Create an Azure key vault.
- The key vault name can be anything unique (
samplevault#####in this example).Note: It’s recommended to append a random five- or six-digit number at the end of the vault name.
- The key vault name can be anything unique (
- On the Access policy screen, in the Key Permissions column, select all permissions except for Purge, Release, Rotate, Get Rotation Policy, and Set Rotation Policy for the logged-in lab user.
- Create an Azure key vault.
- Use RDP to Connect to the Virtual Machine
Download and install an RDP client.
- Windows: Use the Remote Desktop client available to Windows clients natively.
- MacOS: Microsoft Remote Desktop
- Linux: Remmina
In the Azure portal, browse to the VM and take down the public IP address of the server from the Overview tab in the server blade, or use the details from the lab.
Connect to the server via RDP and log in using the credentials provided.
On the virtual machine use the Internet Options to lower the security of IE or install Microsoft Edge and set it as the default browser. (The two options work around a bug when using the encryption wizard later.)
- Connect to SQL Server and Encrypt Some Data
- Connect to SQL Server.
- Change the Authentication type to SQL Server Authentication.
- Connect using the credentials provided earlier.
Note: If you are prompted to log in to Azure, use the provided lab credentials.
- Browse to Databases > sampledb1 > Tables > and right-click on SalesLT.Customer.
- Select Encrypt Columns.
- Enable Always Encrypted via the wizard.
- Select the FirstName, MiddleName, and LastName columns, and set all three to use Deterministic encryption.
- Store the key in Azure Key Vault (log in with the Azure lab credentials).
