We have migrated a database (backup to .bacpac and restore to the new tenant) but the database was encrypted using always encrypted and the key is stored in the original tenant's key vault. I can look at the data in SQL management studio by authenticating with the first tenant when it tries to decrypt (it automatically pops up the authentication dialog), but I need to move the key so my web app can access it too. Can it be migrated from one tenant to another, or is this going to become a manual process of exporting and re-importing the data?
Asked
Active
Viewed 190 times
1 Answers
1
An update on this: The short answer is yes, it's possible to move the keys from one tenant to another, but there's a caveat:
- The tenant must exist in the same subscription. If it doesn't, you have to first transfer the tenant to the same subscription as the destination tenant you want the keys to be moved to - an account on both with sufficient rights is required to perform this step.
- The entire key vault is migrated. the keys are tied to the vault and can't be used in another vault.
R2Bleep2
- 29
- 1
- 6
-
Could you change the wording of your answer a bit? In Azure vocabulary a tenant does not exist in a subscription. It is the other way around: a tenant owns possibly multiple subscriptions. I assume for your migration use case it is required that both the source subscription as well as the target subscription reside in the same tenant? – Carl in 't Veld Aug 08 '23 at 18:07