skip to Main Content

Mandatory Azure Key Vault Purge Protection for TDE BYOK in Azure SQL DB and Managed Instance

As of April 2022, soft-delete and purge protection will be required to be enabled in Azure SQL on a key vault when configuring Transparent Data Encryption (TDE) with Customer Managed Key (CMK) on the server or managed instance.

Previously, purge protection for TDE with CMK in Azure SQL was recommended but had to be switched on as it wasn’t a mandatory requirement.

What does this mean for you?

With soft-delete and purge protection on for all databases, security is increased against malicious or accidental deletion of a key vault. No one within the organisation or at Microsoft will be able to purge your key vaults during the soft delete retention period.

To avoid inconvenience, be sure to turn on purge protection for all your key vaults. As of April 1st, if this is not enabled and you attempt to set a key from the same vault as the TDE Protector, you will receive an error message requiring you to turn on purge protector and then re-do your operation.

Find out more

Full documentation is available here: Azure Key Vault soft-delete | Microsoft Docs and you can use a built-in Azure policy to audit your key vaults and discover which do not already have purge protection enabled.

Post Terms: Purge protection | TDE BYOK

About the Author

Marketing Manager, Leah Monterroso, has been writing blogs and articles for the last six years. Since working with Ballard Chalmers, she has immersed herself in Microsoft tech news and bringing value to clients and the wider community through content.

You can find Leah online at:

Back To Top
Contact us for a chat