Rotate encryption keys with the Vault EKM provider
Both the database encryption key and Vault Transit's asymmetric key can be rotated independently.
Database encryption key (DEK) rotation
To rotate the database encryption key, you can execute the following SQL query in Microsoft SQL Server Management Studio:
USE TestTDE;GO ALTER DATABASE ENCRYPTION KEYREGENERATE WITH ALGORITHM = AES_256;GO SELECT * FROM sys.dm_database_encryption_keys;
Key encryption key (KEK) rotation
To rotate the asymmetric key in Vault's Transit, you can use the standard
/rotate
endpoint:
$ vault write -f transit/keys/ekm-encryption-key/rotate
After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption key with the newest version of the Vault key by creating a new asymmetric key:
use master;GO CREATE ASYMMETRIC KEY TransitVaultAsymmetricV2FROM PROVIDER TransitVaultProviderWITH CREATION_DISPOSITION = OPEN_EXISTING,PROVIDER_KEY_NAME = 'ekm-encryption-key'; CREATE CREDENTIAL TransitVaultTDECredentialsV2 WITH IDENTITY = '<approle-role-id>', SECRET = '<approle-secret-id>'FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;GO CREATE LOGIN TransitVaultTDELoginV2 FROM ASYMMETRIC KEY TransitVaultAsymmetricV2; use TestTDE;go ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetricV2;