The Certificate used for encryption for Azure SQL Managed Instance must be backed up, stored offline and off-site.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-276289 | MSQL-D0-001800 | SV-276289r1149776_rule | CCI-001199 | medium |
| Description | ||||
| Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery. | ||||
| STIG | Date | |||
| Microsoft Azure SQL Managed Instance Security Technical Implementation Guide | 2025-10-07 | |||
Details
Check Text (C-276289r1149776_chk)
Use the PowerShell command below to retrieve the Transparent Data Encryption key type:
$ResourceGroupName = '<Resource Group Name>'
$ManagedInstanceName = '<Managed Instance Name>'
Get-AzSqlInstanceTransparentDataEncryptionProtector -ResourceGroupName $ResourceGroupname -InstanceName $ManagedInstanceName | Select-Object Type
If the application owner and authorizing official (AO) have determined that encryption of data at rest is not required and the Transparent Data Encryption protector key is type "ServiceManaged", this is not a finding.
If the application owner and AO have determined that encryption of data at rest is required and the Transparent Data Encryption protector key type is "AzureKeyVault" (commonly referred to as Bring Your Own Key or BYOK), this is a finding.
Fix Text (F-80349r1149775_fix)
Document and implement procedures to safely back up and store the certificate used for encryption. Include in the procedures methods to establish evidence of backup and storage, and careful, restricted access and restoration of the Certificate. Also, include provisions to store the backup off-site.
BACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file'
WITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password');
As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.