0

On SQL Azure I have setup always encrypted with Azure KeyVault key. I then encrypted a few columns based on this. Everything is working fine.

My question: what happens when I generate a new key in Azure KeyVault key?

  • It will decrypt encrypted columns based on old key?
  • Re-encrypt the columns based on new key value?
  • Does this all happen automatically, how much time it can take?
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Lalit
  • 4,897
  • 7
  • 32
  • 36

1 Answers1

0

The Key Vault stores the Column Master Key, which is used to decrypt the Column Encryption Key that actually encrypts and decrypts your data. If you are only rotating the Column Master Keys, then the process is very quick, as you just need to use the old Column Master Key to decrypt the Column Encryption Key, and re-encrypt it with the new Column Master Key. See Rotating Column Master Keys

And See Generally: Overview of Key Management for Always Encrypted

David Browne - Microsoft
  • 80,331
  • 6
  • 39
  • 67