Transparent Data Encryptions - Create Or Update

Reference

Service:: SQL Database

API Version:: 2021-11-01

Updates a logical database's transparent data encryption configuration.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/transparentDataEncryption/current?api-version=2021-11-01

URI Parameters

Name	In	Required	Type	Description
databaseName	path	True	string	The name of the logical database for which the security alert policy is defined.
resourceGroupName	path	True	string	The name of the resource group that contains the resource. You can obtain this value from the Azure Resource Manager API or the portal.
serverName	path	True	string	The name of the server.
subscriptionId	path	True	string	The subscription ID that identifies an Azure subscription.
tdeName	path	True	TransparentDataEncryptionName	The name of the transparent data encryption configuration.
api-version	query	True	string	The API version to use for the request.

Request Body

Name	Required	Type	Description
properties.state	True	TransparentDataEncryptionState	Specifies the state of the transparent data encryption.

Responses

Name	Type	Description
200 OK	LogicalDatabaseTransparentDataEncryption	Successfully updated the database Transparent Data Encryption state.
201 Created	LogicalDatabaseTransparentDataEncryption	Successfully created the database transparent data encryption state.
202 Accepted		Creating or updating the database transparent data encryption configuration is in progress.
Other Status Codes		* Error Responses: * 400 SecurityAdalPrincipalCertExpiredError - The operation could not be completed because the Azure Key Vault principal certificate has expired. 400 AkvHostNotResolvingFromNode - AKV host '{0}' is not resolvable from SQL, on server '{1}'. 400 SecurityInvalidAzureKeyVaultRecoveryLevel - The provided Key Vault uri is not valid. 400 KeyMaterialNotFoundOnRemoteServer - Remote server does not have access to key material used as a TDE protector. 400 AzureKeyVaultRsaKeyNotSupported - The provided key vault uses unsupported RSA Key Size or Key Type. The supported RSA key size is 2048 or 3072 and Key Type is RSA or RSA-HSM. 400 AzureKeyVaultKeyDisabled - The operation could not be completed on the server because the Azure Key Vault key is disabled. 400 AzureKeyVaultInvalidExpirationDate - The operation could not be completed because the Azure Key Vault key expiration date is invalid. 400 SameKeyUriNotFoundOnRemoteServer - Secondary server does not have the key material from the same key vault as the primary server's encryption protector with key auto-rotation enabled. 400 SecurityAzureKeyVaultUrlNullOrEmpty - The operation could not be completed because the Azure Key Vault Uri is null or empty. 400 SameKeyMaterialNotFoundOnRemoteServer - Secondary server does not have the key material of the primary server's encryption protector. 400 PerDatabaseCMKRestoreNotSupported - Database restore is not supported when Database-level CMK is configured in preview. 400 AzureKeyVaultNoServerIdentity - The server identity is not correctly configured. 400 PerDatabaseCMKHSNotSupported - Database-level CMK in preview is not supported for Hyperscale edition. 400 AzureKeyVaultInvalidUri - An invalid response from Azure Key Vault. Please use a valid Azure Key Vault URI. 400 AzureKeyVaultMissingPermissions - The server is missing required permissions on the Azure Key Vault. 400 UmiMissingAkvPermissions - PrimaryUserAssignedIdentityId provided by user does not have access to KeyId provided 400 AkvEndpointNotReachableFromNode - AKV endpoint '{0}' is not reachable from SQL, on server '{1}'. 400 SecurityAzureKeyVaultInvalidKeyName - The operation could not be completed because of an invalid Server Key name. 400 AdalGenericError - The operation could not be completed because an Azure Active Directory error was encountered. 400 AdalServicePrincipalNotFound - The operation could not be completed because an Azure Active Directory library Service Principal not found error was encountered. 400 AzureKeyVaultMalformedVaultUri - The provided Key Vault uri is not valid. 400 SecurityAzureKeyVaultGeoChainError - Creating secondary of secondary (a process known as chaining) is not supported when enabling Transparent Data Encryption using Azure Key Vault (BYOK). 400 PerDatabaseCMKDWNotSupported - Database-level CMK in preview is not supported for Datawarehouse edition. 400 ReadOnly - Cannot enable or modify database encryption on a database that is read-only, has read-only files or is not recovered. 400 CanNotDropAlterOnMirror - Please modify Transparent Data Encryption on the primary databases. 400 AttemptedEncryptionOnSystemDatabase - Cannot encrypt a system database. Database encryption operations cannot be performed for 'master', 'model', 'tempdb', 'msdb', or 'resource' databases. 400 InvalidTransparentDataEncryptionUpdateRequest - Please enter a valid state. Please use "Enabled" or "Disabled". 400 InvalidTransparentDataEncryptionName - The transparent data encryption key name is not supported. 401 CanNotChangeReadOnlyDuringTdeScan - Cannot modify filegroup read-only/read-write state while an encryption transition is in progress. 409 ServerKeyNameAlreadyExists - The server key already exists on the server. 409 ServerKeyUriAlreadyExists - The server key URI already exists on the server. 409 ServerKeyDoesNotExists - The server key does not exist. 409 AzureKeyVaultKeyNameNotFound - The operation could not be completed because the Azure Key Vault Key name does not exist. 409 AzureKeyVaultKeyInUse - The key is currently being used by the server. 409 NeedsLogBackup - Please wait several minutes for a log backup to occur. 409 EncryptionInProgress - Cannot modify encryption while an encryption scan in progress. 409 KeyChangeInProgress - Cannot change database encryption key while an encryption, decryption, or key change scan is in progress. 409 NoBulkOperationLock - CREATE/ALTER/DROP DATABASE ENCRYPTION KEY failed because a lock could not be placed on database. Try again later. 409 AltStateConflict - The operation cannot be performed on database because it is involved in a database mirroring session or an availability group. Some operations are not allowed on a database that is participating in a database mirroring session or in an availability group. 503 AzureKeyVaultConnectionFailed - The operation could not be completed on the server because attempts to connect to Azure Key Vault have failed 503 AzureKeyVaultGenericConnectionError - The operation could not be completed because an error was encountered when attempting to retrieve Key Vault information . 503 NoDekLock - CREATE/ALTER/DROP DATABASE ENCRYPTION KEY failed because a lock could not be placed on the database. Try again later.

Examples

Update a database's Transparent Data Encryption state with minimal parameters

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/securitytde-42-rg/providers/Microsoft.Sql/servers/securitytde-42/databases/testdb/transparentDataEncryption/current?api-version=2021-11-01

{
  "properties": {
    "state": "Enabled"
  }
}


import com.azure.core.util.Context;
import com.azure.resourcemanager.sql.fluent.models.LogicalDatabaseTransparentDataEncryptionInner;
import com.azure.resourcemanager.sql.models.TransparentDataEncryptionName;
import com.azure.resourcemanager.sql.models.TransparentDataEncryptionState;

/** Samples for TransparentDataEncryptions CreateOrUpdate. */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/sql/resource-manager/Microsoft.Sql/stable/2021-11-01/examples/TransparentDataEncryptionUpdate.json
     */
    /**
     * Sample code: Update a database's Transparent Data Encryption state with minimal parameters.
     *
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void updateADatabaseSTransparentDataEncryptionStateWithMinimalParameters(
        com.azure.resourcemanager.AzureResourceManager azure) {
        azure.sqlServers().manager().serviceClient().getTransparentDataEncryptions().createOrUpdate("securitytde-42-rg",
            "securitytde-42", "testdb", TransparentDataEncryptionName.CURRENT,
            new LogicalDatabaseTransparentDataEncryptionInner().withState(TransparentDataEncryptionState.ENABLED),
            Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 200

{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/securitytde-42-rg/providers/Microsoft.Sql/servers/securitytde-42/databases/testdb/transparentDataEncryption",
  "name": "current",
  "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
  "properties": {
    "state": "Enabled"
  }
}

Status code:: 201

{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/securitytde-42-rg/providers/Microsoft.Sql/servers/securitytde-42/databases/testdb/transparentDataEncryption",
  "name": "current",
  "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
  "properties": {
    "state": "Enabled"
  }
}

Status code:: 202

Definitions

Name	Description
LogicalDatabaseTransparentDataEncryption	A logical database transparent data encryption state.
TransparentDataEncryptionName	The name of the transparent data encryption configuration.
TransparentDataEncryptionState	Specifies the state of the transparent data encryption.

LogicalDatabaseTransparentDataEncryption

A logical database transparent data encryption state.

Name	Type	Description
id	string	Resource ID.
name	string	Resource name.
properties.state	TransparentDataEncryptionState	Specifies the state of the transparent data encryption.
type	string	Resource type.

TransparentDataEncryptionName

The name of the transparent data encryption configuration.

Name	Type	Description
current	string

TransparentDataEncryptionState

Specifies the state of the transparent data encryption.

Name	Type	Description
Disabled	string
Enabled	string