migrate tde cert to Azure sql mi

Question

migrate tde cert to Azure sql mi

sakuraime 2,276

Add-AzSqlManagedInstanceTransparentDataEncryptionCertificate is the command to add a tde cert to azure sql mi

but I have difficulty of list the TDE cert imported ( I can't see it by using SSMS to the Azure SQL Mi under master-> certificate)

how to list ? or can export back? How to rotate the certificate ?

Answer 1

KalyanChanumolu-MSFT 8,251 Microsoft Employee

@sakuraime Thank you for reaching out.
You should be able to retreive the details using Get-AzSqlInstanceTransparentDataEncryptionProtector

The process to add a Key in BYOK scenario involves configuring a KeyVault NetworkRuleSet and AccessPolicy, these steps are simplified into an easy to use script. Please check if you are following all the steps.

The process to rotate the TDE Keys is here

----------

If an answer is helpful, please "Accept answer" or "Up-Vote" which might help other community members reading this thread.

sakuraime 2,276 Reputation points

2021-04-28T01:34:06.883+00:00

thanks. but I think this should be a different things

I refer to the certificate that protect the DEK in the database . Not the protector of the certificate

are there command like the following

get-AzSqlManagedInstanceTransparentDataEncryptionCertificate
KalyanChanumolu-MSFT 8,251 Reputation points Microsoft Employee

2021-04-28T12:53:55.793+00:00

@sakuraime Are you trying to export the certificate from the database instance?
You will need to do so if you want to migrate a certificate of a TDE-protected SQL Server database (OnPremises or VM) to Azure SQL Managed Instance.

I don't quite understand the use case to export the certificate from MI.
Could you please elaborate?
sakuraime 2,276 Reputation points

2021-04-28T13:00:17.11+00:00

https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/tde-certificate-migrate?tabs=azure-powershell

please have a look
KalyanChanumolu-MSFT 8,251 Reputation points Microsoft Employee

2021-04-30T06:43:20.22+00:00

@sakuraime This is the scenario i was referencing in my earlier comment. This applies only when you have an existing TDE protected database on-premises and you are migrating that database to Azure SQL MI.
You perform the export operation on your on-premises SQL server and upload it to Managed instance.

I am trying to understand why you need an get-AzSqlManagedInstanceTransparentDataEncryptionCertificate cmdlet because you don't export the certificate from managed instance.
sakuraime 2,276 Reputation points

2021-05-04T10:33:53.837+00:00

ithanks. I mean I would like to verify the certificate are imported to the MI after
Add-AzSqlManagedInstanceTransparentDataEncryptionCertificate

migrate tde cert to Azure sql mi

1 answer

Activity