Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
edited 1 hour ago
Paul White♦
53.2k14284457
asked 2 hours ago
LewWLewW
161
New contributor
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
edited 1 hour ago
Paul White♦
53.2k14284457
asked 2 hours ago
LewWLewW
161
New contributor
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
edited 1 hour ago
Paul White♦
53.2k14284457
asked 2 hours ago
LewWLewW
161
New contributor
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
sql-server transparent-data-encryption
edited 1 hour ago
Paul White♦
53.2k14284457
asked 2 hours ago
LewWLewW
161
New contributor
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
Paul White♦
53.2k14284457
asked 2 hours ago
LewWLewW
161
New contributor
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
Paul White♦
53.2k14284457
edited 1 hour ago
Paul White♦
53.2k14284457
edited 1 hour ago
Paul White♦
53.2k14284457
53.2k14284457
asked 2 hours ago
LewWLewW
161
New contributor
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 hours ago
LewWLewW
161
asked 2 hours ago
LewWLewW
161
161
New contributor
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
answered 2 hours ago
Sean GallardySean Gallardy
16.8k22654
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
LewW is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
answered 2 hours ago
Sean GallardySean Gallardy
16.8k22654
add a comment |
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
answered 2 hours ago
Sean GallardySean Gallardy
16.8k22654
add a comment |
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
answered 2 hours ago
Sean GallardySean Gallardy
16.8k22654
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
answered 2 hours ago
Sean GallardySean Gallardy
16.8k22654
answered 2 hours ago
Sean GallardySean Gallardy
16.8k22654
answered 2 hours ago
Sean GallardySean Gallardy
16.8k22654
answered 2 hours ago
Sean GallardySean Gallardy
16.8k22654
16.8k22654
add a comment |
add a comment |
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown