I don't think that there is a way to sync the TDE key between two Key Vaults, so I believe all the Key vault connector from ALL replicas need to point the key container that its key is managed. Or use certificate instead of using SQL Server TDE EKM by Azure Key Vault if you don't want to point the TDE key that is managed on other region.
TDE for SQL on Azure VM
I have 3 nodes of AAG replica , 2 on EastAsia and 1 on Southeast asia.
and there are also 2 Azure Key vault , one in East Asia and One in South east asia .
So I would like to know if there are option to sync the TDE key between two Key vaults,
and all the Key vault connector from ALL replicas are pointing to EastAsia ??
Or I need to export the key from eastasisa and import to southeast asia key vault, and make south east asia replica to pointing to south east asia Key vault ?
3 answers
Sort by: Most helpful
-
-
sakuraime 2,326 Reputation points
2020-08-23T02:25:10.17+00:00 so what's the procedure when there is DR triggered?
-
NOBTA 86 Reputation points
2020-08-24T00:43:33.5+00:00 In my case, I gave up using Azure Key Vault and choose the method of using certificate because I didn't want to point the TDE key that is managed on other region.