TDE Master Key RotationWhen do I need to backup the Service Master Key?Moving TDE database to a new database but having problems with the certHow to safeguard a symmetric key in SQL ServerTDE restored DB encryption stateWhen would one want to use Oracle transparent data encryptionHow is the Database Encryption Key for SQL Server TDE linked to the certificate?TDE Change Encryption Key - Is it safe?BACKUP MASTER KEY failing with cannot find symmetric master key because it does not existHow to stop decrypting data after opening master key in SQL Server?using oracle tde

What is the reasoning behind standardization (dividing by standard deviation)?

Can other pieces capture a threatening piece and prevent a checkmate?

label a part of commutative diagram

Should I be concerned about student access to a test bank?

How can I query the supported timezones in Apex?

Have the tides ever turned twice on any open problem?

How much propellant is used up until liftoff?

Why doesn't the fusion process of the sun speed up?

Did Nintendo change its mind about 68000 SNES?

Don't understand why (5 | -2) > 0 is False where (5 or -2) > 0 is True

Norwegian Refugee travel document

Would mining huge amounts of resources on the Moon change its orbit?

Does fire aspect on a sword, destroy mob drops?

Can "few" be used as a subject? If so, what is the rule?

How do researchers send unsolicited emails asking for feedback on their works?

Unfrosted light bulb

TDE Master Key Rotation

Determine voltage drop over 10G resistors with cheap multimeter

Have any astronauts/cosmonauts died in space?

How can a new country break out from a developed country without war?

PTIJ: Which Dr. Seuss books should one obtain?

When did hardware antialiasing start being available?

Emojional cryptic crossword

Do I need an EFI partition for each 18.04 ubuntu I have on my HD?



TDE Master Key Rotation


When do I need to backup the Service Master Key?Moving TDE database to a new database but having problems with the certHow to safeguard a symmetric key in SQL ServerTDE restored DB encryption stateWhen would one want to use Oracle transparent data encryptionHow is the Database Encryption Key for SQL Server TDE linked to the certificate?TDE Change Encryption Key - Is it safe?BACKUP MASTER KEY failing with cannot find symmetric master key because it does not existHow to stop decrypting data after opening master key in SQL Server?using oracle tde













4















Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



My background is in Oracle, which handles TDE a little differently.






sql-server transparent-data-encryption







share|improve this question









New contributor




LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    4















    Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



    My background is in Oracle, which handles TDE a little differently.






    sql-server transparent-data-encryption







    share|improve this question









    New contributor




    LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      4












      4








      4








      Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



      My background is in Oracle, which handles TDE a little differently.






      sql-server transparent-data-encryption







      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      Does changing the TDE Master Key (DB Master Key and/or the DB encryption key) always require decryption and re-encryption? If not, at what version did SQL Server begin to allow you to change the Master Key and not have to decrypt/re-encrypt?



      My background is in Oracle, which handles TDE a little differently.






      sql-server transparent-data-encryption




      sql-server transparent-data-encryption






      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 7 hours ago









      Paul White

      53.2k14284457




      53.2k14284457






      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 8 hours ago









      LewWLewW

      211




      211




      New contributor




      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      LewW is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes


















          8















          Does changing the TDE Master Key always require decryption and re-encryption?
          The DB Master Key and/or the DB encryption key.




          The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



          To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



          If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



          It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






          share|improve this answer






















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "182"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            LewW is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            8















            Does changing the TDE Master Key always require decryption and re-encryption?
            The DB Master Key and/or the DB encryption key.




            The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



            To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



            If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



            It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






            share|improve this answer



























              8















              Does changing the TDE Master Key always require decryption and re-encryption?
              The DB Master Key and/or the DB encryption key.




              The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



              To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



              If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



              It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






              share|improve this answer

























                8












                8








                8








                Does changing the TDE Master Key always require decryption and re-encryption?
                The DB Master Key and/or the DB encryption key.




                The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



                To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



                If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



                It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.






                share|improve this answer














                Does changing the TDE Master Key always require decryption and re-encryption?
                The DB Master Key and/or the DB encryption key.




                The main two secrets involved in TDE are the Database Encryption Key (DEK) and the Server Certificate. The DEK is what actually encrypts and decrypts the data in the database, but the Server Certificate is used to protect (among other protections already involved) the Database Encryption Key (DEK).



                To your question, If you rotate the DEK you must decrypt and encrypt all data in the database because it is the key which does this.



                If, however, you rotate the Server Certificate protecting the DEK, then no data encryption or decryption of the physical database would need to take place.



                It doesn't matter the version or type of software, if you encrypt data with an asymmetric key pair and want to rotate to another asymmetric key pair, you'll first need to decrypt the data with the old set of keys and encrypt it with the new.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 8 hours ago









                Sean GallardySean Gallardy

                16.8k22654




                16.8k22654




















                    LewW is a new contributor. Be nice, and check out our Code of Conduct.









                    draft saved

                    draft discarded


















                    LewW is a new contributor. Be nice, and check out our Code of Conduct.












                    LewW is a new contributor. Be nice, and check out our Code of Conduct.











                    LewW is a new contributor. Be nice, and check out our Code of Conduct.














                    Thanks for contributing an answer to Database Administrators Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f232437%2ftde-master-key-rotation%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Благоевград Съдържание География | История | Население | Политика | Икономика и инфрастуктура | Здравеопазване | Образование и наука | Култура и забавления | Забележителности | Личности | Литература | Външни препратки | Бележки | Навигация42°01′18.99″ с. ш. 23°05′51″ и. д. / 42.021944° с. ш. 23.0975° и. д.*БлагоевградразширитередактиранеОфициален уебсайт на община БлагоевградНовинарски портал на Благоевград – blagoevgrad.euСайтове за БлагоевградНационален статистически институтdariknews.bgГригоровичъ, Викторъ. „Очеркъ путешествія по Европейской Турціи“. Москва, 1877.Стрезов, Георги. Два санджака от Източна Македония. Периодично списание на Българското книжовно дружество в Средец, кн. XXXVII и XXXVIII, 1891, стр. 18 – 19.Македония. Етнография и статистикаГаджанов, Димитър Г. Мюсюлманското население в Новоосвободените земи, в: Научна експедиция в Македония и Поморавието 1916, Военноиздателски комплекс „Св. Георги Победоносец“, Университетско издателство „Св. Климент Охридски“, София, 1993, стр. 244.паметник на незнайния четник&cd=18&hl=en&ct=clnk&client=firefox-a „История на днешен Благоевград“, взето от www.museumblg.com на 16 март 2010 г.„Справка за населението на град Благоевград, община Благоевград, област Благоевград, НСИ“„The population of all towns and villages in Blagoevgrad Province with 50 inhabitants or more according to census results and latest official estimates“„Ethnic composition, all places: 2011 census“История на Неврокопска епархия.Национален статистически институтМюсюлманско изповедание. Главно мюфтийствоНационален публичен регистър на храмовете в БългарияМюсюлманско изповедание. Главно мюфтийствоwww.dnes.bg Джамията в Благоевград не била паленаwww.sesc-bg.orgСписък на побратимени градовеТехническо побратимяванеГУМ грейва в цветовете на нощен Лас Вегас под името „Largo“, „МОЛ Благоевград“..., в. „Струма“grabo.bgwww.cinemaxbg.comррр4238731-067cad53a-0546-417b-a3d3-51e49b1d2232147736077147736077

                    Image
                    Благоевград БългарияобластобщинаСтрумаБистрицаБлагоевградската котловинаРилаВлахинаПиринСтрумаБело поле300 г. пр.н.е.ГрамадапрошениеГордиан IIIСтрумскокъсно...
                    Read more

                    What is the best defense strategy for Survival in Grand Theft Auto Online?What is JP used for in Grand Theft Auto Online?How do I setup a Crew HQ in Grand Theft Auto Online?How does stealth work in Grand Theft Auto Online?Is it possible to own more than 10 cars in Grand Theft Auto online?Where to find truck/trailers in Grand Theft Auto OnlineWhat are some of the best missions to do on Grand Theft Auto 5 onlineFastest Car in Grand Theft Auto V PCHow to setup a Crew vs Crew online session in Grand Theft Auto Online?Grand theft auto 5 crossplayingRestart Grand Theft Auto V Online?

                    Image
                    Print a physical multiplication table Did Nintendo change its mind about 68000 SNES? Emojional cryptic crossword Isn't the word "experience" wrongly used in this context? Do people actually use the word "kaputt" in conversation? Error in master's thesis, I do not know what to do Should I be concerned about student access to a test bank? UK Tourist Visa- Enquiry Unfrosted light bulb Are hand made posters acceptable in Academia? Can a university suspend a student even when he has left university? Can "few" be used as a subject? If so, what is the rule? Why is "la Gestapo" feminine? pipe commands inside find -exec? DisplayForm problem with pi in FractionBox Have any astronauts/cosmonauts died in space? 10 year ban after applying for a UK student visa Weird lines in Microsoft Word Single word to change groups Exit shell with shortcut (not typing exit) that closes session properly Why does Surtur say tha...
                    Read more

                    How does Billy Russo acquire his 'Jigsaw' mask? Unicorn Meta Zoo #1: Why another podcast? Announcing the arrival of Valued Associate #679: Cesar Manara Favourite questions and answers from the 1st quarter of 2019Why does Bane wear the mask?Why does Kylo Ren wear a mask?Why did Captain America remove his mask while fighting Batroc the Leaper?How did the OA acquire her wisdom?Is Billy Breckenridge gay?How does Adrian Toomes hide his earnings from the IRS?What is the state of affairs on Nootka Sound by the end of season 1?How did Tia Dalma acquire Captain Barbossa's body?How is one “Deemed Worthy”, to acquire the Greatsword “Dawn”?How did Karen acquire the handgun?

                    Image
                    Does using the Inspiration rules for character defects encourage My Guy Syndrome? Why did Israel vote against lifting the American embargo on Cuba? France's Public Holidays' Puzzle Contradiction:Maximum Power Transfer and High resistance of load Using a map function on a 'Map' to change values How would you suggest I follow up with coworkers about our deadline that's today? My admission is revoked after accepting the admission offer How to dissolve shared line segments together in QGIS? Number of possible chess pairs where order and position matter How to translate "red flag" into Spanish? How to keep bees out of canned beverages? What is the ongoing value of the Kanban board to the developers as opposed to management Coin Game with infinite paradox Writing a T-SQL stored procedure to receive 4 numbers and insert them into a table What is /etc/mtab in Linux? "Working on a knee" I preordered a game on my Xbox while ...
                    Read more