TDE Master Key RotationWhen do I need to backup the Service Master Key?Moving TDE database to a new database but having problems with the certHow to safeguard a symmetric key in SQL ServerTDE restored DB encryption stateWhen would one want to use Oracle transparent data encryptionHow is the Database Encryption Key for SQL Server TDE linked to the certificate?TDE Change Encryption Key - Is it safe?BACKUP MASTER KEY failing with cannot find symmetric master key because it does not existHow to stop decrypting data after opening master key in SQL Server?using oracle tde
How to align my equation to left?
Delete multiple columns using awk or sed
Why can't the Brexit deadlock in the UK parliament be solved with a plurality vote?
Pre-mixing cryogenic fuels and using only one fuel tank
I found an audio circuit and I built it just fine, but I find it a bit too quiet. How do I amplify the output so that it is a bit louder?
What's the name of the logical fallacy where a debater extends a statement far beyond the original statement to make it true?
What features enable the Su-25 Frogfoot to operate with such a wide variety of fuels?
Mimic lecturing on blackboard, facing audience
Doesn't the system of the Supreme Court oppose justice?
It grows, but water kills it
X marks the what?
Biological Blimps: Propulsion
How to get directions in deep space?
Open a doc from terminal, but not by its name
Plot of a tornado-shaped surface
When were female captains banned from Starfleet?
xxx we would have made had we used xxx, what is had used for?
Why is the "ls" command showing permissions of files in a FAT32 partition?
Non-trope happy ending?
Giving feedback to someone without sounding prejudiced
Is this toilet slogan correct usage of the English language?
Can disgust be a key component of horror?
Can I cause damage to electrical appliances by unplugging them when they are turned on?
Why does AES have exactly 10 rounds for a 128-bit key, 12 for 192 bits and 14 for a 256-bit key size?
TDE Master Key Rotation
When do I need to backup the Service Master Key?Moving TDE database to a new database but having problems with the certHow to safeguard a symmetric key in SQL ServerTDE restored DB encryption stateWhen would one want to use Oracle transparent data encryptionHow is the Database Encryption Key for SQL Server TDE linked to the certificate?TDE Change Encryption Key - Is it safe?BACKUP MASTER KEY failing with cannot find symmetric master key because it does not existHow to stop decrypting data after opening master key in SQL Server?using oracle tde
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
New contributor
add a comment |
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
New contributor
add a comment |
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
New contributor
Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?
My background is in Oracle, which handles TDE a little differently.
sql-server transparent-data-encryption
sql-server transparent-data-encryption
New contributor
New contributor
edited Mar 18 at 15:45
Paul White♦
53.5k14284458
53.5k14284458
New contributor
asked Mar 18 at 14:30
LewWLewW
311
311
New contributor
New contributor
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "182"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
LewW is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
add a comment |
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
add a comment |
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
Does changing the TDE Master Key always require decryption and re-encryption?
The DB Master Key and/or the DB encryption key.
The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).
To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.
If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.
It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.
answered Mar 18 at 14:53
Sean GallardySean Gallardy
16.9k22654
16.9k22654
add a comment |
add a comment |
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
LewW is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown