-
Notifications
You must be signed in to change notification settings - Fork 4.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Docs: Fix SQL Server EKM Provider KEK rotation instructions (#25255)
- Loading branch information
Showing
3 changed files
with
68 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
--- | ||
layout: docs | ||
page_title: Rotating encryption keys with the Vault EKM Provider | ||
description: Steps to rotate the symmetric Database Encryption Key (DEK) and the asymmetric Key Encryption Key (KEK) when using the Vault EKM Provider for Microsoft SQL Server. | ||
--- | ||
|
||
# Key rotation | ||
|
||
Both the database encryption key and Vault Transit's asymmetric key can be rotated independently. | ||
|
||
## Database encryption key (DEK) rotation | ||
|
||
To rotate the database encryption key, you can execute the | ||
[following SQL query](https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-database-encryption-key-transact-sql?view=azuresqldb-current) | ||
in Microsoft SQL Server Management Studio: | ||
|
||
```sql | ||
USE TestTDE; | ||
GO | ||
|
||
ALTER DATABASE ENCRYPTION KEY | ||
REGENERATE WITH ALGORITHM = AES_256; | ||
GO | ||
|
||
SELECT * FROM sys.dm_database_encryption_keys; | ||
``` | ||
|
||
## Key encryption key (KEK) rotation | ||
|
||
To rotate the asymmetric key in Vault's Transit, you can use the standard | ||
[`/rotate`](/vault/api-docs/secret/transit#rotate-key) endpoint: | ||
|
||
```shell-session | ||
$ vault write -f transit/keys/ekm-encryption-key/rotate | ||
``` | ||
|
||
After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption | ||
key with the newest version of the Vault key by creating a new asymmetric key: | ||
|
||
```sql | ||
use master; | ||
GO | ||
|
||
CREATE ASYMMETRIC KEY TransitVaultAsymmetricV2 | ||
FROM PROVIDER TransitVaultProvider | ||
WITH CREATION_DISPOSITION = OPEN_EXISTING, | ||
PROVIDER_KEY_NAME = 'ekm-encryption-key'; | ||
|
||
|
||
CREATE CREDENTIAL TransitVaultTDECredentialsV2 | ||
WITH IDENTITY = '<approle-role-id>', | ||
SECRET = '<approle-secret-id>' | ||
FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider; | ||
GO | ||
|
||
CREATE LOGIN TransitVaultTDELoginV2 FROM ASYMMETRIC KEY TransitVaultAsymmetricV2; | ||
|
||
use TestTDE; | ||
go | ||
|
||
ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetricV2; | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters