Key rotation

Both the database encryption key and Vault Transit's asymmetric key can be rotated independently.

Database encryption key (DEK) rotation

To rotate the database encryption key, you can execute the following SQL query in Microsoft SQL Server Management Studio:

USE TestTDE;
GO

ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_256;
GO

SELECT * FROM sys.dm_database_encryption_keys;

Key encryption key (KEK) rotation

To rotate the asymmetric key in Vault's Transit, you can use the standard /rotate endpoint:

$ vault write -f transit/keys/ekm-encryption-key/rotate

After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption key with the newest version of the Vault key by creating a new asymmetric key:

use master;
GO

CREATE ASYMMETRIC KEY TransitVaultAsymmetricV2
FROM PROVIDER TransitVaultProvider
WITH CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'ekm-encryption-key';


CREATE CREDENTIAL TransitVaultTDECredentialsV2
    WITH IDENTITY = '<approle-role-id>',
    SECRET = '<approle-secret-id>'
FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
GO

CREATE LOGIN TransitVaultTDELoginV2 FROM ASYMMETRIC KEY TransitVaultAsymmetricV2;

use TestTDE;
go

ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetricV2;