sql-server-linux-security-overview.md

title	Security Considerations for SQL Server on Linux
description	Learn about SQL Server on Linux security overview, security best practices, restrictions, including how using keys stored in Azure Key Vault and extensible Key Management aren't supported.
author	rwestMSFT
ms.author	randolphwest
ms.date	11/24/2025
ms.service	sql
ms.subservice	linux
ms.topic	article
ms.custom	linux-related-content

Security considerations for SQL Server on Linux

[!INCLUDE SQL Server - Linux]

Securing [!INCLUDE ssnoversion-md] on Linux is an ongoing process because Linux is a heterogeneous and continuously evolving operating system. Our goal is to help our customers improve security incrementally, building on what they already have and refining over time. This page serves as an index of key practices and resources for securing [!INCLUDE ssnoversion-md] on Linux.

Begin with a secure Linux system

This article assumes that you deployed [!INCLUDE ssnoversion-md] on a hardened and secured Linux system. Security measures vary by Linux distribution. For more information, see Get started with SQL Server on SELinux.

Security practices vary based on the Linux distribution you're using. For detailed guidance, contact your distribution provider and review their recommended best practices. You can also refer to documentation such as:

• Red Hat Enterprise Linux security hardening
• Ubuntu: Security suggestions

Always validate your chosen platform and configuration in a controlled test environment before deploying to production.

Apply SQL Server security guidance

[!INCLUDE ssnoversion-md] on Linux offers a robust security framework combining multiple layers of protection.

• Create accounts and database users under the principle of least privilege.

• Use advanced features like row-level security and dynamic data masking for granular access control.

• File system security is enforced through strict ownership and permissions under /var/opt/mssql, ensuring only the mssql user and group have appropriate access.

• For enterprise integration, Active Directory authentication enables Kerberos-based single sign-on (SSO), centralized password policies, and group-based access management.

• Encrypted connections safeguard data in transit using TLS, with options for server or client-initiated encryption, and support for certificates that meet industry standards.

Together, these capabilities deliver a comprehensive approach to securing [!INCLUDE ssnoversion-md] deployments on Linux. Review and implement recommendations from these key resources:

• Walkthrough for the security features of SQL Server on Linux
• SQL Server on Linux - Security and permissions guide
• Active Directory authentication for SQL Server on Linux
• Tutorial: Use adutil to configure Active Directory authentication with SQL Server on Linux
• Encrypt connections to SQL Server on Linux

SQL Server auditing on Linux

[!INCLUDE ssnoversion-md] on Linux supports the built-in [!INCLUDE ssnoversion-md] Audit feature, enabling you to track and log server-level and database-level events for compliance and security monitoring.

• Create a Server Audit and Server Audit Specification

Common best practices

• Regularly update the Linux operating system and [!INCLUDE ssnoversion-md].
• Dedicate production servers exclusively to [!INCLUDE ssnoversion-md] workloads.
• Apply the principle of least privilege for accounts and services.
• Disable the SA account as a best practice.

For common security best practices on Windows and Linux, refer to SQL Server security best practices

Disable the SA account as a best practice

[!INCLUDE connect-with-sa]

Security limitations for SQL Server on Linux

[!INCLUDE ssnoversion-md] on Linux currently has the following limitations:

• Starting with [!INCLUDE sssql25-md] on Linux, you can enforce custom password policy. For more information, see Set custom password policy for SQL logins in SQL Server on Linux.

  In [!INCLUDE sssql22-md] on Linux and earlier versions, we provide a standard password policy:

  • MUST_CHANGE is the only option you can configure.

  • With the CHECK_POLICY option enabled, only the default policy provided by [!INCLUDE ssnoversion-md] is enforced, and doesn't apply the Windows password policies defined in the Active Directory group policies.

  • Password expiration is hard-coded to 90 days if you use [!INCLUDE ssnoversion-md] authentication. To work around this issue, consider changing the ALTER LOGIN.

• Extensible Key Management (EKM) is only supported through Azure Key Vault (AKV) in [!INCLUDE sssql22-md] CU12 onward, and isn't available in earlier versions. Third party EKM providers aren't supported for [!INCLUDE ssnoversion-md] on Linux operating systems.

• [!INCLUDE ssnoversion-md] authentication mode can't be disabled.

• [!INCLUDE ssnoversion-md] generates its own self-signed certificate for encrypting connections. You can configure [!INCLUDE ssnoversion-md] to use a user-provided certificate for TLS.

• [!INCLUDE ssnoversion-md] on Linux deployments aren't FIPS compliant.

Secure SQL Server on Linux Container Deployments

For information about securing [!INCLUDE ssnoversion-md] containers, see Secure SQL Server Linux containers.

Related content

• Walkthrough for the security features of SQL Server on Linux
• SQL Server on Linux - Security and permissions guide
• Configure SQL Server on Linux with the mssql-conf tool
• Editions and supported features of SQL Server 2022 on Linux
• Security for SQL Server Database Engine and Azure SQL Database