From 6c6a06a93b936b0e97a023575d89e54e365974cb Mon Sep 17 00:00:00 2001
From: Ben <60398078+bwiggins10@users.noreply.github.com>
Date: Fri, 3 May 2024 14:39:10 -0400
Subject: [PATCH] Add check for TDE Key Algorithm and Key Length

---
 sp_CheckSecurity.sql | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/sp_CheckSecurity.sql b/sp_CheckSecurity.sql
index fcdec7c..8b7453b 100644
--- a/sp_CheckSecurity.sql
+++ b/sp_CheckSecurity.sql
@@ -674,6 +674,21 @@ INNER JOIN sys.dm_database_encryption_keys d
 	ON c.thumbprint = d.encryptor_thumbprint;
 
 
+/* check TDE key algorithm and key length */
+INSERT #Results
+SELECT
+	3
+	, 'Potential - review recommended'
+	, 'TDE uses legacy encryption algorithm'
+	, d.name
+	, 'The TDE encryption for database ' + d.name + ' uses the encryption algorithm ' + dek.key_algorithm + ' with a key length of ' + CAST(dek.key_length AS CHAR(4))
+	, 'The database encryption key should be regenerated to use the more secure AES_256 algorithm.'
+	, 'https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/choose-an-encryption-algorithm?view=sql-server-ver16'
+FROM sys.dm_database_encryption_keys dek
+	RIGHT JOIN master.sys.databases d ON d.database_id = dek.database_id
+WHERE dek.key_algorithm <> 'AES' or dek.key_length <> '256'
+
+
 /* check for database backup certificate backup */
 IF @SQLVersionMajor >= 12 BEGIN
 	SET @SQL = '
@@ -1162,4 +1177,4 @@ IF @ShowHighOnly = 0
 		, ReadMoreURL
     FROM #Results 
     ORDER BY 1, 2, 3, 4, 5
-    
\ No newline at end of file
+