SQL TDE Question

Question

I went through the docs document to set up SQL Server TDE Extensible Key Management by using Azure Key Vault.

I have a question: how to rotate the key without destroying the SQL database? What's the script?

Note: I am using local SQL Server not Azure SQL Database.

Answer 1

Hi AndreyLau-2325,

I have a question: how to rotate the key without destroying the SQL database? What's the script?

Next is the process to rotate the keys and certificates used for TDE encryption:

1. Create a new SQL TDE certificate;
2. Backup the new SQL TDE certificate;
3. Create the same SQL TDE certificate;
4. Change encryption key for your databases;

More detail steps and codes you can reference : rotate-tde-keys&certificates

And this could be helpful: key-rotation-in-tde, SmartKey

BR,
Mia
If the reply helped, do "Accept Answer" and upvote it.--Mia.

Answer 2

Hi AndreyLau-2325，

Please refence the reply from this case : tde-regenerate-key

BR,
Mia
If the reply helped, please "Accept Answer" and upvote it.--Mia

Answer 3

Btw even if TDE certificate expires it ll still works.

Answer 4

The question is unanswered I see.

Using AKV we don't need anymore certificate but the question to rotate is still alive.
In Azure Key Vault you can create a new version of the key and re-encrypt the DEK.
It works but then you cannot re-encrypt the old backup anymore and this is a problem because you cannot restore them.
You have to create a new key, a new credential and a new login and preserve the oldest in order to restore the bk.

Regards,
Graziano.