| title | Rotate enclave-enabled keys |
|---|---|
| description | Learn how to rotate Always Encrypted enclave-enabled keys |
| author | jaszymas |
| ms.author | jaszymas |
| ms.reviewer | vanto |
| ms.date | 01/30/2025 |
| ms.service | sql |
| ms.subservice | security |
| ms.topic | how-to |
| monikerRange | >= sql-server-ver15 |
[!INCLUDE sqlserver2019-windows-only-asdb]
In Always Encrypted, a key rotation is a process of replacing an existing column master key or a column encryption key with a new key. This article describes use cases and considerations for key rotation specific to Always Encrypted with secure enclaves when either the initial key and/or the target (new) key is an enclave-enabled key. For general guidelines and processes for managing Always Encrypted keys, see Overview of key management for Always Encrypted.
You may need to rotate a key for security or compliance reasons. For example, if a key has been compromised or your organization's policies require you to replace keys periodically. In addition, Always Encrypted with secure enclaves key rotation provides a way to enable or disable the functionality of the server-side secure enclave for your encrypted columns.
- When you replace a key that isn't enclave-enabled with an enclave-enabled key, you unlock the functionality of the secure enclave to query on columns that are protected with the key. For more information, see Enable Always Encrypted with secure enclaves for existing encrypted columns.
- When you replace an enclave-enabled key with a key that isn't enclave-enabled, you disable the functionality of the secure enclave to query on columns that are protected with the key.
If you're rotating a key only for security/compliance reasons, and not to enable or disable enclave computations for your columns, make sure the target key has the same configuration regarding enclaves as the source key. For example, if the source key is enclave-enabled, the target key should also be enclave-enabled.
The below steps include links to detailed articles, depending on your rotation scenario:
-
Provision a new key (a column master key or a column encryption key).
- To provision a new enclave-enclave enabled key, see Provision enclave-enabled keys.
- To provision a key that isn't enclave enabled, see Provision Always Encrypted keys using SQL Server Management Studio and Provision Always encrypted keys using PowerShell.
[!NOTE] When using Azure Key Vault as the key store, multitenant customer managed key rotation is not supported. Ensure that the new customer managed key is in the same tenant as the existing one.
-
Replace an existing key with the new key.
- If you're rotating a column encryption key and both the source key and the target key are enclave-enabled, you can run the rotation (which involves re-encrypting your data) in-place. For more information, see Configure column encryption in-place using Always Encrypted with secure enclaves.
- For detailed steps for rotating keys, see Rotate Always Encrypted keys using SQL Server Management Studio and Rotate Always Encrypted keys using PowerShell.
- Run Transact-SQL statements using secure enclaves
- Configure column encryption in-place using Always Encrypted with secure enclaves
- Enable Always Encrypted with secure enclaves for existing encrypted columns
- Develop applications using Always Encrypted with secure enclaves
- Manage keys for Always Encrypted with secure enclaves