Updating a Cryptographic Provider for EKM with Azure Key Vault - Level 5 of the Stairway to TDE

Question

Updating a Cryptographic Provider for EKM with Azure Key Vault - Level 5 of the Stairway to TDE

VishnuGupthanSQLPowershellDBA

Ten Centuries

Points: 1220
More actions
July 17, 2024 at 12:00 am

#4431699

Comments posted to this topic are about the item Updating a Cryptographic Provider for EKM with Azure Key Vault - Level 5 of the Stairway to TDE
Vishnu Gupthan
PowershellAcademy
www.powershellacademy.com

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply

Eddie Wuerch SSChampion Points: 12533 More actions · Answer 1

Upgrading a cryptographic provider can be accomplished without restarting the instance or dropping the provider, with the key provision that this only works if the name of the provider file does not change.

You can rename the provider .dll file in Windows even if it is use. Once SQL Server open the file, it uses a pointer to the file for further operations - not the file name. This allows replacing the EKM dll without a restart:

Leave the server running and TDE databases online.
Download the updated provider .dll to a temp folder
Rename the old in-use provider dll file (I usually add ".old" to the end of the filename). This lets us copy the new provider file to that location without conflict. You can't delete the file because SQL Server is still using it, even though you renamed it. SQL will continue to run normally as if you had changed nothing.
Copy the updated provider dll to that directory.
That's it. You're done. The new provider will be picked up and used the next time the server restarts. SQL Server will continue to run normally using the old provider file. Once the instance has restarted and begun using the new provider file, you can delete the old one.

I've used this technique many times on busy multi-TB databases. It's safe and silent.

Note that if you are updating the provider file because the Authenticode signature is expiring, you still won't need to restart, even if the signature expired while the server was running. The signature is checked only when the provider is loaded (usually at startup).

Eddie Wuerch
MCM: SQL