docs: Add encryption key decryption workflow and certificate rename guidance (#36539)

VanMSFT · web-flow · commit b659dda483f7 · 2026-02-02T17:04:54.000-05:00
- Add decryption procedure to DROP COLUMN ENCRYPTION KEY article with step-by-step workflow
- Document certificate renaming limitation in ALTER CERTIFICATE article with TDE workaround
- Apply Microsoft Writing Style Guide compliance (active voice, contractions)
- Update Related content sections and metadata
diff --git a/docs/t-sql/statements/alter-certificate-transact-sql.md b/docs/t-sql/statements/alter-certificate-transact-sql.md
@@ -3,7 +3,7 @@ title: "ALTER CERTIFICATE (Transact-SQL)"
 description: ALTER CERTIFICATE (Transact-SQL)
 author: VanMSFT
 ms.author: vanto
-ms.date: "04/22/2019"
+ms.date: "01/30/2026"
 ms.service: sql
 ms.subservice: t-sql
 ms.topic: reference
@@ -52,9 +52,8 @@ ALTER CERTIFICATE certificate_name
          [ DECRYPTION BY PASSWORD = 'current_password' ]  
          [ [ , ] ENCRYPTION BY PASSWORD = 'new_password' ]  
       }  
-``` 
- 
- 
+```
+
 ```syntaxsql  
 -- Syntax for Parallel Data Warehouse  
   
@@ -65,57 +64,108 @@ ALTER CERTIFICATE certificate_name
         FILE = '<path_to_private_key>',  
         DECRYPTION BY PASSWORD = '<key password>' )
 }  
-```  
+```
 
 ## Arguments
- *certificate_name*  
- Is the unique name by which the certificate is known in the database.  
+
+*certificate_name*  
+ The unique name by which the certificate is known in the database.  
   
  REMOVE PRIVATE KEY  
- Specifies that the private key should no longer be maintained inside the database.  
+ Specifies that the private key will no longer be maintained inside the database.  
   
  WITH PRIVATE KEY
  Specifies that the private key of the certificate is loaded into SQL Server.
 
- FILE ='*path_to_private_key*'  
- Specifies the complete path, including file name, to the private key. This parameter can be a local path or a UNC path to a network location. This file will be accessed within the security context of the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] service account. When you use this option, make sure the service account has access to the specified file.
- 
- If only a file name is specified, the file is saved in the default user data folder for the instance. This folder might (or might not) be the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] DATA folder. For SQL Server Express LocalDB, the default user data folder for the instance is the path specified by the `%USERPROFILE%` environment variable for the account that created the instance.  
-  
- BINARY ='*private_key_bits*'  
+FILE ='*path_to_private_key*'  
+ Specifies the complete path, including file name, to the private key. This parameter can be a local path or a UNC path to a network location. The file is accessed within the security context of the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] service account. When you use this option, make sure the service account has access to the specified file.
+
+If you specify only a file name, the file is saved in the default user data folder for the instance. This folder might or might not be the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] DATA folder. For SQL Server Express LocalDB, the default user data folder for the instance is the path specified by the `%USERPROFILE%` environment variable for the account that created the instance.
+
+BINARY ='*private_key_bits*'  
  **Applies to**: [!INCLUDE[ssSQL11](../../includes/sssql11-md.md)] and later.  
   
- Private key bits specified as binary constant. These bits can be in encrypted form. If encrypted, the user must provide a decryption password. Password policy checks are not performed on this password. The private key bits should be in a PVK file format.  
-  
- DECRYPTION BY PASSWORD ='*current_password*'  
- Specifies the password that is required to decrypt the private key.  
-  
- ENCRYPTION BY PASSWORD ='*new_password*'  
- Specifies the password used to encrypt the private key of the certificate in the database. *new_password* must meet the Windows password policy requirements of the computer that is running the instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. For more information, see [Password Policy](../../relational-databases/security/password-policy.md).  
-  
- ACTIVE FOR BEGIN_DIALOG **=** { ON | OFF }  
- Makes the certificate available to the initiator of a [!INCLUDE[ssSB](../../includes/sssb-md.md)] dialog conversation.  
-  
-## Remarks  
- The private key must correspond to the public key specified by *certificate_name*.  
-  
- The DECRYPTION BY PASSWORD clause can be omitted if the password in the file is protected with a null password.  
-  
- When the private key of a certificate that already exists in the database is imported, the private key will be automatically protected by the database master key. To protect the private key with a password, use the ENCRYPTION BY PASSWORD clause.  
-  
- The REMOVE PRIVATE KEY option will delete the private key of the certificate from the database. You can remove the private key when the certificate will be used to verify signatures or in [!INCLUDE[ssSB](../../includes/sssb-md.md)] scenarios that do not require a private key. Do not remove the private key of a certificate that protects a symmetric key. The private key will need to be restored in order to sign any additional modules or strings that should be verified with the certificate, or to decrypt a value that has been encrypted with the certificate.   
-  
- You do not have to specify a decryption password when the private key is encrypted by using the database master key.  
- 
- To change the password used for encrypting the private key, do not specify either the FILE or BINARY clauses.
+ Private key bits specified as binary constant. These bits can be in encrypted form. If encrypted, you must provide a decryption password. SQL Server doesn't perform password policy checks on this password. The private key bits should be in a PVK file format.  
   
+DECRYPTION BY PASSWORD ='*current_password*'  
+ Specifies the password that is required to decrypt the private key.
+
+ENCRYPTION BY PASSWORD ='*new_password*'  
+ Specifies the password used to encrypt the private key of the certificate in the database. *new_password* must meet the Windows password policy requirements of the computer that is running the instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. For more information, see [Password Policy](../../relational-databases/security/password-policy.md).
+
+ACTIVE FOR BEGIN_DIALOG **=** { ON | OFF }  
+ Makes the certificate available to the initiator of a [!INCLUDE[ssSB](../../includes/sssb-md.md)] dialog conversation.
+
+## Remarks
+
+The private key must correspond to the public key specified by *certificate_name*.
+
+You can omit the DECRYPTION BY PASSWORD clause if the password in the file is protected with a null password.
+
+When you import the private key of a certificate that already exists in the database, the private key is automatically protected by the database master key. To protect the private key with a password, use the ENCRYPTION BY PASSWORD clause.
+
+The REMOVE PRIVATE KEY option deletes the private key of the certificate from the database. You can remove the private key when you use the certificate to verify signatures or in [!INCLUDE[ssSB](../../includes/sssb-md.md)] scenarios that don't require a private key. Don't remove the private key of a certificate that protects a symmetric key. You need to restore the private key to sign any additional modules or strings that should be verified with the certificate, or to decrypt a value that was encrypted with the certificate.
+
+You don't have to specify a decryption password when the private key is encrypted by using the database master key.
+
+To change the password used for encrypting the private key, don't specify either the FILE or BINARY clauses.
+
 > [!IMPORTANT]  
->  Always make an archival copy of a private key before removing it from a database. For more information, see [BACKUP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/backup-certificate-transact-sql.md) and [CERTPRIVATEKEY &#40;Transact-SQL&#41;](../../t-sql/functions/certprivatekey-transact-sql.md).  
-  
- The WITH PRIVATE KEY option is not available in a contained database.  
-  
-## Permissions  
- Requires ALTER permission on the certificate.  
+> Always make an archival copy of a private key before removing it from a database. For more information, see [BACKUP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/backup-certificate-transact-sql.md) and [CERTPRIVATEKEY &#40;Transact-SQL&#41;](../../t-sql/functions/certprivatekey-transact-sql.md).
+
+The WITH PRIVATE KEY option isn't available in a contained database.
+
+## Limitations
+
+Certificate names can't be changed after creation. ALTER CERTIFICATE doesn't support renaming certificates. If you need to use a different certificate name, you must create a new certificate and migrate dependencies.
+
+### Workaround for TDE certificates
+
+If you need to replace a Transparent Data Encryption (TDE) certificate with a different name:
+
+1. **Back up the current certificate and private key**:
+
+   ```sql
+   BACKUP CERTIFICATE OldTDECert
+   TO FILE = 'C:\Backup\OldTDECert.cer'
+   WITH PRIVATE KEY (
+       FILE = 'C:\Backup\OldTDECert.pvk',
+       ENCRYPTION BY PASSWORD = '<password>'
+   );
+   ```
+
+1. **Create the new certificate with the correct name**:
+
+   ```sql
+   CREATE CERTIFICATE NewTDECert
+   WITH SUBJECT = 'TDE Certificate - Correct Name';
+   ```
+
+1. **For each TDE-encrypted database, change the encryption key**:
+
+   ```sql
+   USE EncryptedDB;
+   GO
+   
+   ALTER DATABASE ENCRYPTION KEY
+   ENCRYPTION BY SERVER CERTIFICATE NewTDECert;
+   ```
+
+1. **After all databases are migrated, drop the old certificate**:
+
+   ```sql
+   USE master;
+   GO
+   
+   DROP CERTIFICATE OldTDECert;
+   ```
+
+> [!IMPORTANT]
+> Always back up certificates and private keys before making TDE changes. Store backups in a secure location separate from the database server.
+
+## Permissions
+
+Requires ALTER permission on the certificate.  
   
 ## Examples  
   
@@ -152,16 +202,15 @@ ALTER CERTIFICATE Shipping15
     WITH PRIVATE KEY (DECRYPTION BY PASSWORD = '95hk000eEnvjkjy#F%');  
 GO  
 ```  
-  
-## See Also  
- [CREATE CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/create-certificate-transact-sql.md)  
- [DROP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/drop-certificate-transact-sql.md)  
- [BACKUP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/backup-certificate-transact-sql.md)  
- [Encryption Hierarchy](../../relational-databases/security/encryption/encryption-hierarchy.md)  
- [EVENTDATA &#40;Transact-SQL&#41;](../../t-sql/functions/eventdata-transact-sql.md)  
- [CERTENCODED &#40;Transact-SQL&#41;](../../t-sql/functions/certencoded-transact-sql.md)  
- [CERTPRIVATEKEY &#40;Transact-SQL&#41;](../../t-sql/functions/certprivatekey-transact-sql.md)  
- [CERT_ID &#40;Transact-SQL&#41;](../../t-sql/functions/cert-id-transact-sql.md)  
- [CERTPROPERTY &#40;Transact-SQL&#41;](../../t-sql/functions/certproperty-transact-sql.md)  
-  
-  
+
+## Related content
+
+- [CREATE CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/create-certificate-transact-sql.md)
+- [DROP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/drop-certificate-transact-sql.md)
+- [BACKUP CERTIFICATE &#40;Transact-SQL&#41;](../../t-sql/statements/backup-certificate-transact-sql.md)
+- [Encryption Hierarchy](../../relational-databases/security/encryption/encryption-hierarchy.md)
+- [EVENTDATA &#40;Transact-SQL&#41;](../../t-sql/functions/eventdata-transact-sql.md)
+- [CERTENCODED &#40;Transact-SQL&#41;](../../t-sql/functions/certencoded-transact-sql.md)
+- [CERTPRIVATEKEY &#40;Transact-SQL&#41;](../../t-sql/functions/certprivatekey-transact-sql.md)
+- [CERT_ID &#40;Transact-SQL&#41;](../../t-sql/functions/cert-id-transact-sql.md)
+- [CERTPROPERTY &#40;Transact-SQL&#41;](../../t-sql/functions/certproperty-transact-sql.md)
diff --git a/docs/t-sql/statements/drop-column-encryption-key-transact-sql.md b/docs/t-sql/statements/drop-column-encryption-key-transact-sql.md
@@ -3,7 +3,7 @@ title: "DROP COLUMN ENCRYPTION KEY (Transact-SQL)"
 description: DROP COLUMN ENCRYPTION KEY (Transact-SQL)
 author: jaszymas
 ms.author: jaszymas
-ms.date: "10/15/2019"
+ms.date: "01/30/2026"
 ms.service: sql
 ms.subservice: t-sql
 ms.topic: reference
@@ -30,35 +30,55 @@ dev_langs:
   
 ```syntaxsql
 DROP COLUMN ENCRYPTION KEY key_name [;]  
-```  
+```
 
 ## Arguments
- *key_name*  
- Is the name by which the column encryption key to be dropped from the database.  
+
+*key_name*  
+ The name of the column encryption key to drop from the database.  
   
 ## Remarks
- A column encryption key cannot be dropped if it is used to encrypt any column in the database. All columns using the column encryption key must first be dropped.  
-  
-## Permissions  
- Requires **ALTER ANY COLUMN ENCRYPTION KEY** permission on the database.  
-  
-## Examples  
-  
-### A. Dropping a column encryption key  
- The following example drops a column encryption key called `MyCEK`.  
-  
+
+A column encryption key can't be dropped if it's used to encrypt any column in the database. All columns using the column encryption key must first be decrypted or dropped.
+
+To remove encryption from a column:
+
+1. **Decrypt the column** - Use `ALTER TABLE` to modify the encrypted column, removing the encryption specification:
+
+   ```sql
+   ALTER TABLE dbo.Employees
+   ALTER COLUMN SSN NVARCHAR(11);
+   ```
+
+2. **Drop the column encryption key** - After all columns using the key are decrypted, you can drop the key:
+
+   ```sql
+   DROP COLUMN ENCRYPTION KEY MyCEK;
+   ```
+
+Alternatively, if you no longer need the column data, you can drop the column entirely using `ALTER TABLE DROP COLUMN` before dropping the encryption key.
+
+## Permissions
+
+Requires **ALTER ANY COLUMN ENCRYPTION KEY** permission on the database.
+
+## Examples
+
+### A. Dropping a column encryption key
+
+The following example drops a column encryption key called `MyCEK`.
+
 ```sql  
 DROP COLUMN ENCRYPTION KEY MyCEK;  
 GO  
-```  
-  
-## See Also  
- [CREATE COLUMN ENCRYPTION KEY &#40;Transact-SQL&#41;](../../t-sql/statements/create-column-encryption-key-transact-sql.md)   
- [ALTER COLUMN ENCRYPTION KEY &#40;Transact-SQL&#41;](../../t-sql/statements/alter-column-encryption-key-transact-sql.md)   
- [CREATE COLUMN MASTER KEY &#40;Transact-SQL&#41;](../../t-sql/statements/create-column-master-key-transact-sql.md)  
- [Always Encrypted](../../relational-databases/security/encryption/always-encrypted-database-engine.md)   
- [Always Encrypted with secure enclaves](../../relational-databases/security/encryption/always-encrypted-enclaves.md)   
- [Overview of Key Management for Always Encrypted](../../relational-databases/security/encryption/overview-of-key-management-for-always-encrypted.md)   
- [Manage keys for Always Encrypted with secure enclaves](../../relational-databases/security/encryption/always-encrypted-enclaves-manage-keys.md)   
-  
-  
+```
+
+## Related content
+
+- [CREATE COLUMN ENCRYPTION KEY &#40;Transact-SQL&#41;](../../t-sql/statements/create-column-encryption-key-transact-sql.md)
+- [ALTER COLUMN ENCRYPTION KEY &#40;Transact-SQL&#41;](../../t-sql/statements/alter-column-encryption-key-transact-sql.md)
+- [CREATE COLUMN MASTER KEY &#40;Transact-SQL&#41;](../../t-sql/statements/create-column-master-key-transact-sql.md)
+- [Always Encrypted](../../relational-databases/security/encryption/always-encrypted-database-engine.md)
+- [Always Encrypted with secure enclaves](../../relational-databases/security/encryption/always-encrypted-enclaves.md)
+- [Overview of Key Management for Always Encrypted](../../relational-databases/security/encryption/overview-of-key-management-for-always-encrypted.md)
+- [Manage keys for Always Encrypted with secure enclaves](../../relational-databases/security/encryption/always-encrypted-enclaves-manage-keys.md)   
