Transparent Data Encryption (TDE)
DocumentDB should support Transparent Data Encryption.
We’re excited to announce that Azure Cosmos DB is now always encrypted in rest. See https://docs.microsoft.com/en-us/azure/documentdb/documentdb-nosql-database-security
Aravind Krishna R.
Azure Cosmos DB
Tony Voellm [MSFT] commented
As of ~May 1st all regions including Germany, China, and USGov are all encrypted at rest with Service Managed Keys.
You can read mode on E@R here - https://docs.microsoft.com/en-us/azure/documentdb/documentdb-nosql-database-encryption-at-rest
Kantcho Manahov commented
It is a nice step forward tgo use DocummentDb as a production datastore.
Can we use our proper keys generated by KeyVault for the TDE or the keys will be managed by MS as in the SQL Azure ?
Brian Mather commented
Looking forward to this
Jeff Maddox commented
I would like more details, such as how the keys are managed, Is it row, table or DB level encryption with the same key? How is key stored and retrieved and how is key secured? Are you using key vault? How often are keys rotated.
Ivan Ho commented
any update or timeline?
Maybe just a small update? Just a tiny little one? :)
It would be nice to get an update on this.
Christian N commented
Hi, without encryption, documentDB is currently not usable for us too. An update to the rollout plan would help us to decide if we could risk to switch.
Grant Warren commented
Can we please get an update on the rollout plan for this? Will the rollout be taking place this quarter, or even this year, and which regions will be targeted first?
Any updates? Last update was November of last year, 3 months ago.
Is there an update on this feature? We are looking to adopt this technology but need encryption to work first.
Gavin Nielsen commented
Yes, I need to know this as well. it is very important to have data encrypted at rest for my multi-tenant system that i am in the midst of architecting right now. I would really like to use DocDB for its many advantages, but I need encryption at rest to make sure that every tenant can only see there only data and that my company cannot see there data either... please update this thread to let know where this feature stands. Thanks!
Orie Steele commented
Can we get an update on ETA?
Trying to decide if DocumentDB is worth integrating.
Without this feature, we cannot leverage any of the nice query semantics on encrypted data.
Might as well just store encrypted json blobs on S3 or Blob Storage and role our own secondary indexes for each use case. Or use SQL, which supports TDE.
any news about this feature?
Now we are all the way out of December. Any update on this?
Now that we are halfway through December, is this in private preview yet? Still ETA end of year (i.e. in two weeks)?
Thanks for your patience. This is planned pretty soon to be in private preview.
If there's no TDE I can't use DocumentDb. Simple as that.
Certainly DONT WANT TDE. Overhead is far too high.