Azure SQL Database TDE

  • Hi All,

    Sorry to post here didn't find a forum to post Azure related Q's.

    We are planning to have an Azure SQL Database as planning to enable to TDE on the same. The DEK will be encrypted again by KEK which will be stored in Azure vault . Experts please help me understand below

    1. Is there any policy to change the KEK perdiodically  if Yes whats the duration?
    2. What happens if we change the KEK, do we need to restart the server ? what happens to DB?
    3. Can I change KEK only after decrypting the DB?

    Thanks in Advance

     

  • This is a resource I trust very much talking about this topic. His suggestion is to change the keys every two years. Read the article for more details.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • Grant Fritchey wrote:

    This is a resource I trust very much talking about this topic. His suggestion is to change the keys every two years. Read the article for more details.

     

    Thanks Grant.

    The post not mentioning anything on KEK.

    • This reply was modified 5 years, 6 months ago by  Rechana Rajan.
  • So.. just a note to add.. Azure automatically uses TDE on all databases.. and if you leave it on the default of letting azure handle the key it swaps out the key every 90 days.

     

    Also, you shouldnt have to decrypt to update the master key

    USE master; ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'YourNewPasswordHere'

    • This reply was modified 5 years, 6 months ago by  oogibah.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply