TDE Master Key Rotation
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
New contributor
add a comment |
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
New contributor
add a comment |
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
New contributor
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
sql-server transparent-data-encryption
New contributor
New contributor
edited 2 days ago
Paul White♦
53.2k14284457
53.2k14284457
New contributor
asked 2 days ago
LewWLewW
311
311
New contributor
New contributor
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
LewW is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
add a comment |
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
add a comment |
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
answered 2 days ago
Sean GallardySean Gallardy
16.9k22654
16.9k22654
add a comment |
add a comment |
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown