| title | Rotate | Microsoft Docs |
|---|---|
| ms.custom | |
| ms.date | 10/31/2019 |
| ms.prod | sql |
| ms.reviewer | vanto |
| ms.prod_service | database-engine, sql-database |
| ms.technology | security |
| ms.topic | conceptual |
| author | jaszymas |
| ms.author | jaszymas |
| monikerRange | >= sql-server-ver15 || = sqlallproducts-allversions |
[!INCLUDE tsql-appliesto-ssver15-xxxx-xxxx-xxx-winonly]
In Always Encrypted, a key rotation is a process of replacing an existing column master key or a column encryption key with a new key. This article describes use cases and considerations for key rotation specific to Always Encrypted with secure enclaves when either the initial key and/or the target (new) key is an enclave-enabled key. For general guidelines and processes for managing Always Encrypted keys, see Overview of key management for Always Encrypted.
You may need to rotate a key for security or compliance reasons. For example, if a key has been compromised or your organization's policies require you to replace keys periodically. In addition, Always Encrypted with secure enclaves key rotation provides a way to enable or disable the functionality of the server-side secure enclave for your encrypted columns.
- When you replace a key that isn't enclave-enabled with an enclave-enabled key, you unlock the functionality of the secure enclave to queries on a column or columns, protected with the key. See Enable Always Encrypted with secure enclaves for existing encrypted columns.
- When you replace an enclave-enabled key with a key that isn't enclave-enabled, you disable the functionality of the secure enclave to queries on a column or columns, protected with the key.
If you're rotating a key only for security/compliance reasons and not to enable or disable enclave computations for your columns, make sure the target key has the same configuration regarding enclaves as the source key. For example, if the source key is enclave-enabled, the target key should also be enclave-enabled.
The below high-level steps include links to detailed articles, depending on your rotation scenario:
- Provision a new key (a column master key or a column encryption key).
- To provision a new enclave-enclave enabled key, see Provision enclave-enabled keys.
- To provision a key that isn't enclave enabled, see Provision Always Encrypted keys using SQL Server Management Studio and Provision Always encrypted keys using PowerShell.
- Replace an existing key with the new key.
- If you're rotating a column encryption key and both the source key and the target key are enclave-enabled, you can run the rotation (which involves re-encrypting your data) in-place. See Configure column encryption in-place using Always Encrypted with secure enclaves.
- For detailed steps for rotating keys see Rotate Always Encrypted keys using SQL Server Management Studio and Rotate Always Encrypted keys using PowerShell.