Released to general availability in Azure SQL Database and Managed Instance is the ability to use an RSA key stored in Azure Key Vault Managed HSM, for customer-managed Transparent Data Encryption Bring Your Own Key (TDE BYOK).
This is added on top of the existing option of using Azure Key Vault. Together this provides flexibility for storing encryption keys and protecting the most confidential workloads.
This means that those sensitive workloads requiring higher security can now be safely brought into Azure while maintaining single-tenant, isolation, local RBAC, FIPS 140-2 Level 3 compliancy and throughput for key management.
Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs (Hardware Security Modules). Source: Microsoft documentation.