1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Implementing Azure SQL Data Security

Azure SQL Disk Encryption


Introduction and Overview
Course Overview
Storage Security
Information Security
Track Data Changes
2m 2s
Start course

In the Information age data is the new currency and like anything valuable, it needs to be protected. Azure SQL and its environment provide a range of mechanisms for protecting your data from a multitude of hazards. The potential threats range from bad actors trying to steal information to unintentional human error corrupting your data. To cover all eventualities Azure provides pre-emptive protection in the form of network security, several types of data encryption, data classification, and vulnerability assessment services. After the fact protection is available in the form of built-in data change tracking. This course shows not only tells you about what protection is available for your database but also how to implement it.

If you have any feedback relating to this course, feel free to contact us at support@cloudacademy.com.

Learning Objectives

  • Learn what security components are available  within Azure SQL
  • Understand how these elements work together to provide a secure environment
  • Learn how to implement infrastructure security
  • Learn how to secure your data from external and internal hazards
  • Learn how to implement data change tracking

Intended Audience

  • Anyone who wants to learn how to implement secure Azure SQL databases
  • Those preparing for Microsoft’s DP-300 exam


To get the most out of this course, you have should a general understanding of the fundamentals of Microsoft Azure. Experience using databases — especially SQL Server — would also be beneficial.


The GitHub repository for this course can be found here: https://github.com/cloudacademy/azure-sql-data-security-dp-300


When you create a virtual machine or a managed disk, you have a couple of encryption options. The default is encryption at rest with a platform managed key. I want to talk about implementing encryption with a customer-managed key. The first thing we must do is create a key vault to store the key that will be used for the disk encryption. When you create the key vault, you can specify Azure disk encryption for volume encryption under Access Policy, or if you have already created your key vault, you can go into access policies under settings and enable Azure disk encryption there. In the key vault, within keys under settings, you need to create or import a key. Here, I have generated a new key named diskkey. Once the key has been created then we need to create a new disk encryption sets resource. Within the disk encryption sets add a new disc encryption set. In the disk encryption set create or assign a resource group, but your region needs to be the same as your key vault region and the region you are going to create the disk in. Next, select your key vault and key with a hyperlink. If you haven’t already created your key vault and key, you can create them here. When your disk encryption set resource has been created, and you first go to that resource you have the opportunity to grant the appropriate permissions, which is what I’ve done here. If you don’t do that, you can set those permissions after-the-fact, by going to your key vault and add an access policy. Here are the three permissions that were automatically granted to my disk encryption set. Once you have set up the key within the key vault, created the disk encryption set, and associated it with your key, you can then select it from the disk encryption set drop-down when you choose the customer-managed key encryption type.

As with all resource creation and modification, you can also accomplish the same task with PowerShell or Azure CLI scripts. You can use the Set-AzDiskKeyEncryptionKey command to set the encryption key properties on a disk,  or Set-AzVMDiskEncryptionExtension to enable encryption on a running virtual machine.


Introduction - Course Overview - Firewall Rules - Vnet to Vnet and Azure Data Gateway - Transparent Data Encryption - Column Encryption - Advanced Data Security - Track Data Changes - Summary

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.