title: 'PowerShell - Rotate TDE protector - Azure SQL | Microsoft Docs' description: Learn how to rotate the Transparent Data Encryption (TDE) protector for an Azure SQL server. keywords: services: sql-database documentationcenter: '' author: becczhang manager: jhubbard editor: ''
ms.assetid: ms.service: sql-database ms.custom: quick start create, mvc ms.workload: data-management ms.tgt_pltfrm: portal ms.devlang: na ms.topic: hero-article ms.date: 08/07/2017 ms.author: ryzhang26
[!INCLUDEtsql-appliesto-xxxxxx-asdb-asdw-xxx-md]
This how-to guide describes key rotation for an Azure SQL server using a TDE protector from Azure Key Vault. Rotating an Azure SQL server’s TDE protector means switching to a new asymmetric key that protects the databases on the server. Key rotation is an online operation and should only take a few seconds to complete, because this only decrypts and re-encrypts the database’s data encryption key, not the entire database.
This guide discusses two options to rotate the TDE protector on the server.
Note
A paused SQL Data Warehouse must be resumed before key rotations.
Important
Do Not Delete previous versions of the key after a rollover. When keys are rolled over, some data is still encrypted with the previous keys, such as older database backups.
- This how-to guide assumes that you are already using a key from Azure Key Vault as the TDE protector for an Azure SQL Database or Data Warehouse. See Transparent Data Encryption with BYOK Support.
- You must have Azure PowerShell version 3.7.0 or newer installed and running.
- [Recommended but optional] Create the key material for the TDE protector in a hardware security module (HSM) or local key store first, and import the key material to Azure Key Vault. Follow the instructions for using a hardware security module (HSM) and Key Vault to learn more.
Generate a new version of the existing TDE protector key in Key Vault, under the same key name and key vault. The Azure SQL service starts using this new version within 24 hours.
To create a new version of the TDE protector using the Add-AzureKeyVaultKey cmdlet:
Add-AzureKeyVaultKey `
-VaultName <KeyVaultName> `
-Name <KeyVaultKeyName> `
-Destination <HardwareOrSoftware>The option uses the Add-AzureKeyVaultKey, Add-AzureRmSqlServerKeyVaultKey, and Set-AzureRmSqlServerTransparentDataEncryptionProtector cmdlets to add a completely new key, which could be under a new key name or even another key vault.
Note
The combined length for the key vault name and key name cannot exceed 94 characters.
# Add a new key to Key Vault
Add-AzureKeyVaultKey `
-VaultName <KeyVaultName> `
-Name <KeyVaultKeyName> `
-Destination <HardwareOrSoftware>
# Add the new key from Key Vault to the server
Add-AzureRmSqlServerKeyVaultKey `
-KeyId <KeyVaultKeyId> `
-ServerName <LogicalServerName> `
-ResourceGroup <SQLDatabaseResourceGroupName>
<# Set the key as the TDE protector for all resources
under the server #>
Set-AzureRmSqlServerTransparentDataEncryptionProtector `
-Type AzureKeyVault `
-KeyId <KeyVaultKeyId> `
-ServerName <LogicalServerName> `
-ResourceGroup <SQLDatabaseResourceGroupName>-
To switch the TDE protector from Microsoft-managed to BYOK mode, use the Set-AzureRmSqlServerTransparentDataEncryptionProtector cmdlet.
Set-AzureRmSqlServerTransparentDataEncryptionProtector ` -Type AzureKeyVault ` -KeyId <KeyVaultKeyId> ` -ServerName <LogicalServerName> ` -ResourceGroup <SQLDatabaseResourceGroupName>
-
To switch the TDE protector from BYOK mode to Microsoft-managed, use the Set-AzureRmSqlServerTransparentDataEncryptionProtector cmdlet.
Set-AzureRmSqlServerTransparentDataEncryptionProtector ` -Type ServiceManaged ` -ServerName <LogicalServerName> ` -ResourceGroup <SQLDatabaseResourceGroupName>
-
In case of a security risk, learn how to remove a potentially compromised TDE protector: Remove a potentially compromised key
-
Get started with Bring Your Own Key support for TDE: Turn on TDE using your own key from Key Vault using PowerShell