SQLEKM| Can GUID associated with key be updated with new GUID

Question

There is one migration activity going on in which we are migrating from one provider to a different provider with different GUID.
Now we need to restore the live data whose key is associated with one GUID.
Is there any way by which GUID of the key can be updated?

Answer 1

Is the guid you are talking about master.sys.asymmetric_keys.cryptographic_provider_guid?

The only way to change that would be to change the system catalog directly, but I am not going to say how to do that, because it would render you installation unsupported. And most likely it would not work.

You need to rotate your TDE key. If you don't want to decrypt it before migrating to the new server, you will need to have both providers in installed for this operation.

With the same caveat as before: I have never worked with EKM. What I'm saying is based on common sense and reading between the lines in the syntax.

Answer 2

This is a little confusing, but let me put a few thoughts here, and ask a couple questions.

For TDE, we do not get to separate the DEK from the database. This is in the database, and has no backup/restore. This cannot be used for other purposes. There is a certificate, which can be in master (sys.certificates) or in an EKM provider. This key is used to encrypt/decrypt the DEK key. If you want to change this certificate to a new one, you perform key rotation. an example here: https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-key-rotation?tabs=azure-powershell

This allow you to decrypt the DEK key from EKM A, and then re-encrypt it with EKM B.

For column level encryption, do you have the key as a certificate in EKM provider A? If so, you would need to decrypt the data or keys in use and re-encrypt them with EKM B in the same manner.