TDE Key Rotation

This section explains how to configure key rotation for the TDE key.

Configure TDE Key Rotation in KeyControl

  1. Login the KeyControl WebGUI and rotate the TDE key by navigating to CLOUD KEYS > CloudKeys tab > CloudKey Details page.

     

  2. Select the Versions tab to get the list of key versions after rotation.

TDE Key Rotation in SQL Server

Copy 
USE master; 
CREATE ASYMMETRIC KEY TDE_KEY_v2 -- Give the NEW KEK version a name in SQL Server
FROM PROVIDER EKM_Prov 
WITH PROVIDER_KEY_NAME = '<Cloud Key>', -- master_key1 created in KeyControl
CREATION_DISPOSITION = OPEN_EXISTING; 
GO 

CREATE CREDENTIAL tde_ekm_cred_v2 
WITH IDENTITY = 'tde_connect1'
SECRET = 'xdZ5TCNRLcldfeCr8SDZyu+TJF1kH5MGMZgaj2vZeUgP3Nf2xBh/lWicDzhvaWZCN3w3A5gVlkgG05AnfdlIYafP6HE+zSqsGX Ay4Fx7deZYqTbOcz3HOYmu99IE81fATfG58C1qukmzY9UW3z04p3TaAM2xho30SIhm2hs1iupsXADGBuSVYSxi5C8aH26jrXZFl 6hIiInwK8F3GF3MQSWksRmgruAOSBLfnh+iasM1vqkZ/BHZ/3vRcsZZTrC3DycHXGrZqwcVxZaPsQlok2vC0cRw6m7afBCJI76y 854kIGEflOCvQugGxxyEBpPOOuLrCEQo0y5jr9x2dYgWIr4X24qTnW9+BVMlMqGh2oOmqBqqNFBVUBEUjSIjHZuE/4xo/lH6akn Ru0PHP2JDhvDGpouRfCaJ7/5q1dygiEl1OcSoANemqu44GUaVyAS1esIM182T6rNbbmRgRJsyqznrdTLx02oUPbtbUXRUdh7hgY GPBB+uvid2YYT+NOsXM2nR0XdkxJ59x2RbFErjTGuf6mj756qE2RBzV9eeIEjMQgiajfTUNWz/NTk+Ca5z6Rdznig8VTCLR0Q3i HxF6zb5jSYkLeo0pbeUuuSLtlPX7kkrzFt07j2dj8q3V2lkcvYLOMdgtzzW/ILGjS0jEyZBbyROxK+48WSQ244EVhs=' 
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ; 
GO 

CREATE LOGIN TDE_Login_v2 
FROM ASYMMETRIC KEY TDE_KEY_v2 ; 
GO 

ALTER LOGIN TDE_Login_v2 
ADD CREDENTIAL tde_ekm_cred_v2 
GO 

use testdb 
GO 

ALTER DATABASE ENCRYPTION KEY 
ENCRYPTION BY SERVER ASYMMETRIC KEY TDE_KEY_v2; 
GO

Check the thumbprint of the TDE key used to encrypt the database key

Check the “encryptor thumbprint” to know the version of key used to encrypt the database key.

Copy 
use master 
GO
SELECT DB_NAME(database_id) AS DatabaseName,encryption_state,percent_complete,encryptor_thumbprint, encryptor_type 
FROM sys.dm_database_encryption_keys 
GO