Share via

TDE for SQL on Azure VM

sakuraime 2,321 Reputation points
2020-08-22T10:10:21.733+00:00

I have 3 nodes of AAG replica , 2 on EastAsia and 1 on Southeast asia.
and there are also 2 Azure Key vault , one in East Asia and One in South east asia .

So I would like to know if there are option to sync the TDE key between two Key vaults,
and all the Key vault connector from ALL replicas are pointing to EastAsia ??

Or I need to export the key from eastasisa and import to southeast asia key vault, and make south east asia replica to pointing to south east asia Key vault ?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,144 questions
SQL Server on Azure Virtual Machines
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,872 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. NOBTA 86 Reputation points
    2020-08-22T15:40:08.557+00:00

    I don't think that there is a way to sync the TDE key between two Key Vaults, so I believe all the Key vault connector from ALL replicas need to point the key container that its key is managed. Or use certificate instead of using SQL Server TDE EKM by Azure Key Vault if you don't want to point the TDE key that is managed on other region.

    0 comments
  2. sakuraime 2,321 Reputation points
    2020-08-23T02:25:10.17+00:00

    so what's the procedure when there is DR triggered?

    0 comments
  3. NOBTA 86 Reputation points
    2020-08-24T00:43:33.5+00:00

    In my case, I gave up using Azure Key Vault and choose the method of using certificate because I didn't want to point the TDE key that is managed on other region.

    https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15

    0 comments