Dynamic Data Masking in Azure SQL

Jan Dvořák — Thu, 31 Oct 2019 22:49:03 +0000

Dynamic Data Masking is available for Azure SQL Database as one of the main security features. There is more on Data Masking on Microsoft Docs. I don’t want to repeat all these technical details, but rather provide you with a simple tutorial on how to set up Dynamic Data Masking for Azure SQL Database. Free Azure subscription is the only thing you will need to try. Please create one Azure SQL Database for testing or use an existing one.

Creating a masking rule

1. Navigate to your database in Azure Portal and choose the Dynamic Data Masking item from the Security menu:

2. Click Add mask button to create a new masking rule. I’m using AdwentureWorkLT as a sample database for this tutorial. There is table SalesLT.Customer table with column EmailAddress which I would like to mask to hide email addresses from low privileged users.

There are few predefined masking functions and one of them is created exactly for simple masking of email addresses. Please choose it in the field Masking field format:

3. Save the rule and you will see it listed in the Masking rules overview:

We have successfully created a masking rule to hide email addresses and we will test it now.

Testing masking rule

Connect to Azure SQL Database for which we have created masking rule and run following script from SSMS, Azure Data Studio, or Query Editor in Azure Portal:

-- run as admin user
SELECT CustomerID, EmailAddress FROM SalesLT.Customer
GO

-- create user with low permissions
CREATE USER LowPermUser WITHOUT LOGIN
GO

-- grant SELECT to LowPermUser
GRANT SELECT ON SalesLT.Customer TO LowPermUser
GO

-- execute as LowPermUser
EXECUTE AS USER = 'LowPermUser'

SELECT CustomerID, EmailAddress FROM SalesLT.Customer
GO

Result set 1:

Result set 2:

The query will return two result sets you can see above. How that works?

1. The first result set is coming from a simple select to source table which we have executed against the database under the admin account which has by default all data unmasked.

2. We have created low privileged database user LowPermUser and granted only SELECT permission on our sample table.

3. We switched execution context to the LowPermUser and executed again SELECT query which returned Result set 2 containing email addresses masked with the predefined Email masking function.

That’s it. Easy.

if you would like to review existing masking rules configured for the database then it can be done with this simple query:

SELECT 
	s.name SchemaName, t.name TableName, c.name ColumnName, 
	c.is_masked, c.masking_function
FROM sys.masked_columns c
	INNER JOIN sys.tables t ON t.object_id = c.object_id 
	INNER JOIN sys.schemas s ON s.schema_id = t.schema_id
GO

As a next step, I will recommend reviewing some security concerns related to Dynamic Data Masking.

Configure Azure SQL Transparent Data Encryption With Your Own Key

Jan Dvořák — Mon, 28 Oct 2019 20:52:07 +0000

Transparent Data Encryption is by default configured for Azure SQL Database to use service managed key. This means that Azure is managing encryption keys for you with 90 days rotation. If you have some regulatory or data privacy requirement you can change the default setting and encrypt Azure SQL Database with your own key. I will show you how to set it all using the Azure Key Vault step-by-step in this tutorial.

The only one prerequisite you will need is configured Azure SQL Server. There is no need to have any database created because TDE is configured at server level and at database level you can only switch it on or off.

To use our own encryption keys we need to have Azure Key Vault preconfigured. If you haven’t done it till now, follow a few simple steps listed below.

Configure Azure Key Vault

Open Azure Portal and search for Key Vault item in available services. Click on the Create button and complete the form using your own Resource group name:

Press the Review + Create button and wait a few seconds before the deployment is completed.

Create encryption key

When the Key vault was successfully created we can create a new key that will be later used by for encryption by TDE service. Select for Keys item in the Settings section and Genera new one:

Name of the key is up to you. For other items, we will use default settings.

Press the Create button and verify that the creation of the key was completed:

Configure Transparent data encryption

Navigate to your SQL Server instance and in the Security group and click on Transparent data encryption item. As you can see using service-managed keys is the default option.

Because we will use for the encryption our own keys, change the setting to Yes and when prompted pickup you Azure Key Vault and select proper encryption Key:

Finally, press the Save button.

If saving your new configuration has failed with following error, continue with next step:

Using Azure Key Vault together with TDE requires the Key Vault to be properly configured. Soft delete functionality needs to be enabled to protect you against full data loss in case of accidental deletion of encryption keys. There is no such configuration option in Azure Portal and we will need to open Cloud Shell and configure the required setting using Powershell:

($resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName "ContosoVault").ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"

Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties

Console output:

You can navigate back to Key Vault detail to check is the configuration succeed:

Let’s go back to TDE configuration screen and try again:

The operation completed successfully this time and our TDE is using our own keys stored in Azure Key Vault instead of service-managed keys.