There is currently support for encryption at rest for Microsoft-managed server-side and client-side encryption scenarios.

• Server-side: This is currently provided through a feature called Transparent Data Encryption (TDE). Once TDE is enabled by the user, the TDE keys are automatically created and managed for them. TDE is enabled by default on newly created databases and stored on the physical disk in an encrypted state. It is transparent, which means that, for instance, when you create a select query, the data returns unencrypted. When you do an insert statement, the data is inserted unencrypted in the database as well. Once it is inserted, SQL Database will then encrypt the data automatically. TDE can be enabled at both the database and server level.
• Client-side: Client-side encryption is supported through the Always Encrypted feature. This uses a key that is created and stored by the user. The master key can be stored in Azure Key Vault, a Windows certificate store, or a local hardware security module. Using SQL Server Management Studio, SQL users can choose what key they would like to use to encrypt which column. Always Encrypted is covered in more detail later in this chapter. 
  

In the next section, we are going to encrypt and decrypt blobs in Microsoft Azure Storage using Azure Key Vault.