mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-23 23:51:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
67 lines
2.3 KiB
Plaintext
67 lines
2.3 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Rotate encryption keys with the Vault EKM provider
|
|
description: >-
|
|
Steps to rotate the symmetric Database Encryption Key (DEK) and the asymmetric Key Encryption Key (KEK) when using the Vault EKM provider for Microsoft SQL Server.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Rotate encryption keys with the Vault EKM provider
|
|
|
|
Both the database encryption key and Vault Transit's asymmetric key can be rotated independently.
|
|
|
|
## Database encryption key (DEK) rotation
|
|
|
|
To rotate the database encryption key, you can execute the
|
|
[following SQL query](https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-database-encryption-key-transact-sql?view=azuresqldb-current)
|
|
in Microsoft SQL Server Management Studio:
|
|
|
|
```sql
|
|
USE TestTDE;
|
|
GO
|
|
|
|
ALTER DATABASE ENCRYPTION KEY
|
|
REGENERATE WITH ALGORITHM = AES_256;
|
|
GO
|
|
|
|
SELECT * FROM sys.dm_database_encryption_keys;
|
|
```
|
|
|
|
## Key encryption key (KEK) rotation
|
|
|
|
To rotate the asymmetric key in Vault's Transit, you can use the standard
|
|
[`/rotate`](/vault/api-docs/secret/transit#rotate-key) endpoint:
|
|
|
|
```shell-session
|
|
$ vault write -f transit/keys/ekm-encryption-key/rotate
|
|
```
|
|
|
|
After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption
|
|
key with the newest version of the Vault key by creating a new asymmetric key:
|
|
|
|
```sql
|
|
use master;
|
|
GO
|
|
|
|
CREATE ASYMMETRIC KEY TransitVaultAsymmetricV2
|
|
FROM PROVIDER TransitVaultProvider
|
|
WITH CREATION_DISPOSITION = OPEN_EXISTING,
|
|
PROVIDER_KEY_NAME = 'ekm-encryption-key';
|
|
|
|
|
|
CREATE CREDENTIAL TransitVaultTDECredentialsV2
|
|
WITH IDENTITY = '<approle-role-id>',
|
|
SECRET = '<approle-secret-id>'
|
|
FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
|
|
GO
|
|
|
|
CREATE LOGIN TransitVaultTDELoginV2 FROM ASYMMETRIC KEY TransitVaultAsymmetricV2;
|
|
|
|
use TestTDE;
|
|
go
|
|
|
|
ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetricV2;
|
|
```
|