Skip to content

alter-database-encryption-key-transact-sql.md

Latest commit

 

History

History
109 lines (88 loc) · 4.42 KB

alter-database-encryption-key-transact-sql.md

File metadata and controls

109 lines (88 loc) · 4.42 KB
title ALTER DATABASE ENCRYPTION KEY (Transact-SQL) | Microsoft Docs
ms.custom
ms.date 03/20/2017
ms.prod sql-non-specified
ms.reviewer
ms.suite
ms.technology
database-engine
ms.tgt_pltfrm
ms.topic language-reference
f1_keywords
ALTER_DATABASE_ENCRYPTION_KEY_TSQL
ALTER DATABASE ENCRYPTION
ALTER_DATABASE_ENCRYPTION_TSQL
ALTER DATABASE ENCRYPTION KEY
dev_langs
TSQL
helpviewer_keywords
database encryption key, alter
ALTER DATABASE ENCRYPTION KEY
ms.assetid f88dac4b-efe0-47ed-9808-972a4381377e
caps.latest.revision 28
author BYHAM
ms.author rickbyh
manager jhubbard
ms.workload Inactive

ALTER DATABASE ENCRYPTION KEY (Transact-SQL)

[!INCLUDEtsql-appliesto-ss2008-xxxx-asdw-pdw_md]

Alters an encryption key and certificate that is used for transparently encrypting a database. For more information about transparent database encryption, see Transparent Data Encryption (TDE).

Topic link icon Transact-SQL Syntax Conventions

Syntax

-- Syntax for SQL Server  
  
ALTER DATABASE ENCRYPTION KEY  
      REGENERATE WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }  
   |  
   ENCRYPTION BY SERVER   
    {  
        CERTIFICATE Encryptor_Name |  
        ASYMMETRIC KEY Encryptor_Name  
    }  
[ ; ]  

-- Syntax for Azure SQL Data Warehouse and Parallel Data Warehouse  
  
ALTER DATABASE ENCRYPTION KEY  
    {  
      {  
        REGENERATE WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }  
        [ ENCRYPTION BY SERVER CERTIFICATE Encryptor_Name ]  
      }  
      |  
      ENCRYPTION BY SERVER   CERTIFICATE Encryptor_Name    
    }  
[ ; ]

Arguments

REGENERATE WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }
Specifies the encryption algorithm that is used for the encryption key.

ENCRYPTION BY SERVER CERTIFICATE Encryptor_Name
Specifies the name of the certificate used to encrypt the database encryption key.

ENCRYPTION BY SERVER ASYMMETRIC KEY Encryptor_Name
Specifies the name of the asymmetric key used to encrypt the database encryption key.

Remarks

The certificate or asymmetric key that is used to encrypt the database encryption key must be located in the master system database.

The database encryption key does not have to be regenerated when a database owner (dbo) is changed.

After a database encryption key has been modified twice, a log backup must be performed before the database encryption key can be modified again.

Permissions

Requires CONTROL permission on the database and VIEW DEFINITION permission on the certificate or asymmetric key that is used to encrypt the database encryption key.

Examples

The following example alters the database encryption key to use the AES_256 algorithm.

-- Uses AdventureWorks  
  
ALTER DATABASE ENCRYPTION KEY  
REGENERATE WITH ALGORITHM = AES_256;  
GO

See Also

Transparent Data Encryption (TDE)
SQL Server Encryption
SQL Server and Database Encryption Keys (Database Engine)
Encryption Hierarchy
ALTER DATABASE SET Options (Transact-SQL)
CREATE DATABASE ENCRYPTION KEY (Transact-SQL)
DROP DATABASE ENCRYPTION KEY (Transact-SQL)
sys.dm_database_encryption_keys (Transact-SQL)