---
layout: docs
page_title: Rotate encryption keys with the Vault EKM provider
description: >-
    Steps to rotate the symmetric Database Encryption Key (DEK) and the asymmetric Key Encryption Key (KEK) when using the Vault EKM provider for Microsoft SQL Server.
---

# Rotate encryption keys with the Vault EKM provider

Both the database encryption key and Vault Transit's asymmetric key can be rotated independently.

## Database encryption key (DEK) rotation

To rotate the database encryption key, you can execute the
[following SQL query](https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-database-encryption-key-transact-sql?view=azuresqldb-current)
in Microsoft SQL Server Management Studio:

```sql
USE TestTDE;
GO

ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_256;
GO

SELECT * FROM sys.dm_database_encryption_keys;
```

## Key encryption key (KEK) rotation

To rotate the asymmetric key in Vault's Transit, you can use the standard
[`/rotate`](/vault/api-docs/secret/transit#rotate-key) endpoint:

```shell-session
$ vault write -f transit/keys/ekm-encryption-key/rotate
```

After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption
key with the newest version of the Vault key by creating a new asymmetric key:

```sql
use master;
GO

CREATE ASYMMETRIC KEY TransitVaultAsymmetricV2
FROM PROVIDER TransitVaultProvider
WITH CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'ekm-encryption-key';


CREATE CREDENTIAL TransitVaultTDECredentialsV2
    WITH IDENTITY = '<approle-role-id>',
    SECRET = '<approle-secret-id>'
FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
GO

CREATE LOGIN TransitVaultTDELoginV2 FROM ASYMMETRIC KEY TransitVaultAsymmetricV2;

use TestTDE;
go

ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetricV2;
```