TDE Master Key RotationWhen do I need to backup the Service Master Key?Moving TDE database to a new database but having problems with the certHow to safeguard a symmetric key in SQL ServerTDE restored DB encryption stateWhen would one want to use Oracle transparent data encryptionHow is the Database Encryption Key for SQL Server TDE linked to the certificate?TDE Change Encryption Key - Is it safe?BACKUP MASTER KEY failing with cannot find symmetric master key because it does not existHow to stop decrypting data after opening master key in SQL Server?using oracle tde

Exposing a company lying about themselves in a tightly knit industry: Is my career at risk on the long run?

Nested Dynamic SOQL Query

GPL v3 - Does freely distributed software that includes GPL licensed code also require sharing source?

What are the rules for concealing thieves' tools (or items in general)?

Determine voltage drop over 10G resistors with cheap multimeter

What will the Frenchman say?

Why didn't Héctor fade away after this character died in the movie Coco?

Can "few" be used as a subject? If so, what is the rule?

Why is this tree refusing to shed its dead leaves?

Why didn’t Eve recognize the little cockroach as a living organism?

Is "inadequate referencing" a euphemism for plagiarism?

Air travel with refrigerated insulin

Jem'Hadar, something strange about their life expectancy

Why does Surtur say that Thor is Asgard's doom?

What is the tangent at a sharp point on a curve?

How do you justify more code being written by following clean code practices?

Triple Trouble Tribond

Would storms on an ocean world harm the marine life?

Print last inputted byte

Why I don't get the wanted width of tcbox?

How to test the sharpness of a knife?

Can other pieces capture a threatening piece and prevent a checkmate?

How can a new country break out from a developed country without war?

Isn't the word "experience" wrongly used in this context?



TDE Master Key Rotation


When do I need to backup the Service Master Key?Moving TDE database to a new database but having problems with the certHow to safeguard a symmetric key in SQL ServerTDE restored DB encryption stateWhen would one want to use Oracle transparent data encryptionHow is the Database Encryption Key for SQL Server TDE linked to the certificate?TDE Change Encryption Key - Is it safe?BACKUP MASTER KEY failing with cannot find symmetric master key because it does not existHow to stop decrypting data after opening master key in SQL Server?using oracle tde













4















Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



My background is in Oracle, which handles TDE a little differently.






sql-server transparent-data-encryption







share|improve this question









New contributor




LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    4















    Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



    My background is in Oracle, which handles TDE a little differently.






    sql-server transparent-data-encryption







    share|improve this question









    New contributor




    LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      4












      4








      4








      Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



      My background is in Oracle, which handles TDE a little differently.






      sql-server transparent-data-encryption







      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



      My background is in Oracle, which handles TDE a little differently.






      sql-server transparent-data-encryption




      sql-server transparent-data-encryption






      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 8 hours ago









      Paul White

      53.2k14284457




      53.2k14284457






      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 9 hours ago









      LewWLewW

      211




      211




      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes


















          8















          Does changing the TDE Master Key always require decryption and re-encryption?
          The DB Master Key and/or the DB encryption key.




          The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



          To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



          If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



          It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






          share|improve this answer






















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "182"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            LewW is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            8















            Does changing the TDE Master Key always require decryption and re-encryption?
            The DB Master Key and/or the DB encryption key.




            The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



            To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



            If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



            It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






            share|improve this answer



























              8















              Does changing the TDE Master Key always require decryption and re-encryption?
              The DB Master Key and/or the DB encryption key.




              The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



              To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



              If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



              It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






              share|improve this answer

























                8












                8








                8








                Does changing the TDE Master Key always require decryption and re-encryption?
                The DB Master Key and/or the DB encryption key.




                The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



                To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



                If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



                It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






                share|improve this answer














                Does changing the TDE Master Key always require decryption and re-encryption?
                The DB Master Key and/or the DB encryption key.




                The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



                To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



                If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



                It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 9 hours ago









                Sean GallardySean Gallardy

                16.8k22654




                16.8k22654




















                    LewW is a new contributor. Be nice, and check out our Code of Conduct.









                    draft saved

                    draft discarded


















                    LewW is a new contributor. Be nice, and check out our Code of Conduct.












                    LewW is a new contributor. Be nice, and check out our Code of Conduct.











                    LewW is a new contributor. Be nice, and check out our Code of Conduct.














                    Thanks for contributing an answer to Database Administrators Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    How to create a command for the “strange m” symbol in latex? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)How do you make your own symbol when Detexify fails?Writing bold small caps with mathpazo packageplus-minus symbol with parenthesis around the minus signGreek character in Beamer document titleHow to create dashed right arrow over symbol?Currency symbol: Turkish LiraDouble prec as a single symbol?Plus Sign Too Big; How to Call adfbullet?Is there a TeX macro for three-legged pi?How do I get my integral-like symbol to align like the integral?How to selectively substitute a letter with another symbol representing the same letterHow do I generate a less than symbol and vertical bar that are the same height?

                    Image
                    Why does BitLocker not use RSA? Why do people think Winterfell crypts is the safest place for women, children & old people? Why can't I add a governing law to my terms of service to avoid GDPR? tikz: drawing arrow How to renew schengen visas Unix AIX passing variable and arguments to expect and spawn Why did Bronn offer to be Tyrion Lannister's champion in trial by combat? Why not use the yoke to control yaw, as well as pitch and roll? How is an IPA symbol that lacks a name (e.g. ɲ) called? Raising a bilingual kid. When should we introduce the majority language? How to get a single big right brace? How do you cope with tons of web fonts when copying and pasting from web pages? How do I overlay a PNG over two videos (one video overlays another) in one command using FFmpeg? Cutting branch and stick it in pot? Flameskull resistant to magical piercing damage? When speaking, how do you change your mind mid-sentence? Can I take recommendation from ...
                    Read more

                    Category:Tremithousa Media in category "Tremithousa"Navigation menuUpload media34° 49′ 02.7″ N, 32° 26′ 37.32″ EOpenStreetMapGoogle EarthProximityramaReasonatorScholiaStatisticsWikiShootMe

                    Image
                    Communities in Paphos District Help Category:Tremithousa From Wikimedia Commons, the free media repository Jump to navigation Jump to search .mw-parser-output #wdinfoboxwidth:210px;font-size:95%;table-layout:fixed;padding:0.mw-parser-output #wdinfoboxcaptionmargin-left:0px;background-color:white.mw-parser-output #wdinfobox thvertical-align:top;word-wrap:break-word.mw-parser-output #wdinfobox tdword-wrap:break-word.mw-parser-output .taxontree-lcell,.mw-parser-output .wikidatainfobox-lcelltext-align:right;background-color:#cfe3ff;padding-left:0.4em;padding-right:0.4em;font-weight:bold.mw-parser-output .taxontree-fullcelltext-align:center.mw-parser-output .taxontree-hdrcelltext-align:center;background-color:#cfe3ff;padding-left:0.4em;padding-right:0.4em;font-weight:bold.mw-parser-output .taxontree-rcell.mw-parser-output .taxontree-row@media screen and (max-width:600px).mw-parser-output .wdinfo_nomobiledisplay:none;visibility:hidden;height:0.mw-parse...
                    Read more

                    Dokschytsy (Steed) Kwelen | NawigatsjuunBelarus: Vitebsk Region, citypopulation.de

                    Image
                    Fering ArtiikelSteed uun't prowins Witsebsk WitjrüsRüsPoolskWitsebsk ProwinsWitjruslunDokschytsy Distrikt (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesischeflagge.svg" src="//upload.wikimedia.o...
                    Read more