Vault
Rotate encryption keys with the Vault EKM provider
Both the database encryption key and Vault Transit's asymmetric key can be rotated independently.
Database encryption key (DEK) rotation
To rotate the database encryption key, you can execute the following SQL query in Microsoft SQL Server Management Studio:
USE TestTDE;
GO
ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_256;
GO
SELECT * FROM sys.dm_database_encryption_keys;
Key encryption key (KEK) rotation
To rotate the asymmetric key in Vault's Transit, you can use the standard
/rotate
endpoint:
$ vault write -f transit/keys/ekm-encryption-key/rotate
After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption key with the newest version of the Vault key by creating a new asymmetric key:
use master;
GO
CREATE ASYMMETRIC KEY TransitVaultAsymmetricV2
FROM PROVIDER TransitVaultProvider
WITH CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'ekm-encryption-key';
CREATE CREDENTIAL TransitVaultTDECredentialsV2
WITH IDENTITY = '<approle-role-id>',
SECRET = '<approle-secret-id>'
FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
GO
CREATE LOGIN TransitVaultTDELoginV2 FROM ASYMMETRIC KEY TransitVaultAsymmetricV2;
use TestTDE;
go
ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetricV2;