Edit

Rotate enclave-enabled keys

  • Article

Applies to: SQL Server 2019 (15.x) and later - Windows only Azure SQL Database

In Always Encrypted, a key rotation is a process of replacing an existing column master key or a column encryption key with a new key. This article describes use cases and considerations for key rotation specific to Always Encrypted with secure enclaves when either the initial key and/or the target (new) key is an enclave-enabled key. For general guidelines and processes for managing Always Encrypted keys, see Overview of key management for Always Encrypted.

You may need to rotate a key for security or compliance reasons. For example, if a key has been compromised or your organization's policies require you to replace keys periodically. In addition, Always Encrypted with secure enclaves key rotation provides a way to enable or disable the functionality of the server-side secure enclave for your encrypted columns.

  • When you replace a key that isn't enclave-enabled with an enclave-enabled key, you unlock the functionality of the secure enclave to query on columns that are protected with the key. For more information, see Enable Always Encrypted with secure enclaves for existing encrypted columns.
  • When you replace an enclave-enabled key with a key that isn't enclave-enabled, you disable the functionality of the secure enclave to query on columns that are protected with the key.

If you're rotating a key only for security/compliance reasons, and not to enable or disable enclave computations for your columns, make sure the target key has the same configuration regarding enclaves as the source key. For example, if the source key is enclave-enabled, the target key should also be enclave-enabled.

The below steps include links to detailed articles, depending on your rotation scenario:

  1. Provision a new key (a column master key or a column encryption key).
  2. Replace an existing key with the new key.

Next steps

See also