question

AndreyLau-2325 avatar image
0 Votes"
AndreyLau-2325 asked GrazianoTartari-6204 answered

SQL TDE Question

I went through the docs document to set up SQL Server TDE Extensible Key Management by using Azure Key Vault.

I have a question: how to rotate the key without destroying the SQL database? What's the script?

Note: I am using local SQL Server not Azure SQL Database.

sql-server-transact-sql
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi AndreyLau-2325,

Is the reply helpful?

BR,
Mia
If the reply helped, "Accepte Answer" and upvote it.--Mia

0 Votes 0 ·
MiaMiao-MSFT avatar image
1 Vote"
MiaMiao-MSFT answered MiaMiao-MSFT edited

Hi AndreyLau-2325,

I have a question: how to rotate the key without destroying the SQL database? What's the script?

Next is the process to rotate the keys and certificates used for TDE encryption:

  1. Create a new SQL TDE certificate;

  2. Backup the new SQL TDE certificate;

  3. Create the same SQL TDE certificate;

  4. Change encryption key for your databases;

More detail steps and codes you can reference : rotate-tde-keys&certificates

And this could be helpful: key-rotation-in-tde, SmartKey


BR,
Mia
If the reply helped, do "Accept Answer" and upvote it.--Mia.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MiaMiao-MSFT avatar image
0 Votes"
MiaMiao-MSFT answered

Hi AndreyLau-2325,

Please refence the reply from this case : tde-regenerate-key

BR,
Mia
If the reply helped, please "Accept Answer" and upvote it.--Mia

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StratosMatzouranis avatar image
0 Votes"
StratosMatzouranis answered

Btw even if TDE certificate expires it ll still works.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrazianoTartari-6204 avatar image
0 Votes"
GrazianoTartari-6204 answered

The question is unanswered I see.

Using AKV we don't need anymore certificate but the question to rotate is still alive.
In Azure Key Vault you can create a new version of the key and re-encrypt the DEK.
It works but then you cannot re-encrypt the old backup anymore and this is a problem because you cannot restore them.
You have to create a new key, a new credential and a new login and preserve the oldest in order to restore the bk.



Regards,
Graziano.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.