We worked on a service request that our customer faced the following error message.
Failed to save Transparent Data Encryption settings for SQL resource: azmsqldbunuatcog01. Error message: The key vault provided 'https://XYZ.vault.azure.net/keys/XYZ1/fdXXXXX on server 'ServerName' uses unsupported Key Size or Key Type. The supported RSA Key Size is 2048 or 3072 and Key Type is RSA or RSA-HSM.
This issue occurs due to a difference of key size between SQL Server 2014 TDE and Azure SQL Managed Instance TDE. In this situation we have a SQL Server 2014 on-prem instance protected with TDE 1024 bits. We want to migrate to Azure SQL Managed Instance, but the issue is that TDE protector for Managed Instance has a requirements of 2048 and 3072 bits key.
In this case we are using BYOK and import this using this PowerShell script: Use PowerShell to enable transparent data encryption - Azure SQL Managed Instance | Microsoft Learn
We would like to share the options done to bypass this issue in the source database:
- To turn off TDE: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver16
- Drop the database encryption key: https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-encryption-key-transact-sql?view=sql-server-ver16
- Drop the certificate from DB: https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-certificate-transact-sql?view=sql-server-ver16
- Drop the master key: https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-master-key-transact-sql?view=sql-server-ver16
- After decrypted the data and removed TDE, we need to migrate database to Managed Instance and enable TDE for the database inside Portal with a new BYOK within security policies: https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql