TDE Master Key Rotation












6















Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



My background is in Oracle, which handles TDE a little differently.






sql-server transparent-data-encryption







share|improve this question









New contributor




LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    6















    Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



    My background is in Oracle, which handles TDE a little differently.






    sql-server transparent-data-encryption







    share|improve this question









    New contributor




    LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      6












      6








      6








      Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



      My background is in Oracle, which handles TDE a little differently.






      sql-server transparent-data-encryption







      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



      My background is in Oracle, which handles TDE a little differently.






      sql-server transparent-data-encryption




      sql-server transparent-data-encryption






      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 2 days ago









      Paul White

      53.2k14284457




      53.2k14284457






      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 days ago









      LewWLewW

      311




      311




      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes


















          9















          Does changing the TDE Master Key always require decryption and re-encryption?
          The DB Master Key and/or the DB encryption key.




          The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



          To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



          If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



          It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "182"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });






            LewW is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            9















            Does changing the TDE Master Key always require decryption and re-encryption?
            The DB Master Key and/or the DB encryption key.




            The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



            To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



            If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



            It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






            share|improve this answer




























              9















              Does changing the TDE Master Key always require decryption and re-encryption?
              The DB Master Key and/or the DB encryption key.




              The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



              To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



              If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



              It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






              share|improve this answer


























                9












                9








                9








                Does changing the TDE Master Key always require decryption and re-encryption?
                The DB Master Key and/or the DB encryption key.




                The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



                To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



                If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



                It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






                share|improve this answer














                Does changing the TDE Master Key always require decryption and re-encryption?
                The DB Master Key and/or the DB encryption key.




                The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



                To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



                If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



                It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 2 days ago









                Sean GallardySean Gallardy

                16.9k22654




                16.9k22654






















                    LewW is a new contributor. Be nice, and check out our Code of Conduct.










                    draft saved

                    draft discarded


















                    LewW is a new contributor. Be nice, and check out our Code of Conduct.













                    LewW is a new contributor. Be nice, and check out our Code of Conduct.












                    LewW is a new contributor. Be nice, and check out our Code of Conduct.
















                    Thanks for contributing an answer to Database Administrators Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Plaza Victoria

                    Image
                    Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l
                    Read more

                    In PowerPoint, is there a keyboard shortcut for bulleted / numbered list?

                    Image
                    .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 2 OneNote has two useful keyboard shortcuts for bulleted and numbered lists, namely Ctrl + . and Ctrl + - . Is there something similar for PowerPoint where the work with lists is also very common? Haven't found anything here: Use keyboard shortcuts in PowerPoint. keyboard-shortcuts microsoft-powerpoint share | improve this question edited Aug 14 '14 at 14:49 Linger 2,826 10 28 40
                    Read more

                    How to put 3 figures in Latex with 2 figures side by side and 1 below these side by side images but in...

                    Image
                    1 0 I want to put 3 images in LateX such as 2 figures are side by side horizotally and 3rd figure below these 2 side by side figures but in middle. I have following code: begin{figure}[H] centering begin{minipage}{.5textwidth} centering includegraphics[width=.50linewidth]{Text/Images/Genelec_8010_AP.jpg} captionof{figure}{Genelec 8010 AP} label{fig:Genelec 8010} end{minipage}% begin{minipage}{.5textwidth} centering includegraphics[width=.69linewidth]{Text/Images/Genelec_8020_CPM.jpg} captionof{figure}{Genelec 8020 CPM} label{fig:Genelec 8020} end{minipage}% end{figure} %%Here is my 3rd picture code begin{figure} centering includegraphics[width=5cm]{Text/Images/Genelec_8030_BPM.jpg} caption{Genelec 8030 BPM} label{fig:Genelec 8030} end{figure} I want to ask ho
                    Read more