TDE Master Key Rotation












6















Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



My background is in Oracle, which handles TDE a little differently.










share|improve this question









New contributor




LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    6















    Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



    My background is in Oracle, which handles TDE a little differently.










    share|improve this question









    New contributor




    LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      6












      6








      6








      Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



      My background is in Oracle, which handles TDE a little differently.










      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



      My background is in Oracle, which handles TDE a little differently.







      sql-server transparent-data-encryption






      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 2 days ago









      Paul White

      53.2k14284457




      53.2k14284457






      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 days ago









      LewWLewW

      311




      311




      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes


















          9















          Does changing the TDE Master Key always require decryption and re-encryption?
          The DB Master Key and/or the DB encryption key.




          The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



          To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



          If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



          It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "182"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });






            LewW is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            9















            Does changing the TDE Master Key always require decryption and re-encryption?
            The DB Master Key and/or the DB encryption key.




            The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



            To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



            If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



            It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






            share|improve this answer




























              9















              Does changing the TDE Master Key always require decryption and re-encryption?
              The DB Master Key and/or the DB encryption key.




              The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



              To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



              If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



              It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






              share|improve this answer


























                9












                9








                9








                Does changing the TDE Master Key always require decryption and re-encryption?
                The DB Master Key and/or the DB encryption key.




                The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



                To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



                If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



                It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






                share|improve this answer














                Does changing the TDE Master Key always require decryption and re-encryption?
                The DB Master Key and/or the DB encryption key.




                The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



                To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



                If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



                It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 2 days ago









                Sean GallardySean Gallardy

                16.9k22654




                16.9k22654






















                    LewW is a new contributor. Be nice, and check out our Code of Conduct.










                    draft saved

                    draft discarded


















                    LewW is a new contributor. Be nice, and check out our Code of Conduct.













                    LewW is a new contributor. Be nice, and check out our Code of Conduct.












                    LewW is a new contributor. Be nice, and check out our Code of Conduct.
















                    Thanks for contributing an answer to Database Administrators Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Plaza Victoria

                    Puebla de Zaragoza

                    Musa