Blog Post

Azure Database Support Blog
2 MIN READ

Lesson Learned #360: Unsupported Key Size or Key Type. The supported RSA Key Size is 2048 or 3072.

Jose_Manuel_Jurado's avatar
May 30, 2023

We worked on a service request that our customer faced the following error message.

Failed to save Transparent Data Encryption settings for SQL resource: azmsqldbunuatcog01. Error message: The key vault provided 'https://XYZ.vault.azure.net/keys/XYZ1/fdXXXXX on server 'ServerName' uses unsupported Key Size or Key Type. The supported RSA Key Size is 2048 or 3072 and Key Type is RSA or RSA-HSM.

 

This issue occurs due to a difference of key size between SQL Server 2014 TDE and Azure SQL Managed Instance TDE.  In this situation we have a SQL Server 2014 on-prem instance protected with TDE 1024 bits. We want to migrate to Azure SQL Managed Instance, but the issue is that TDE protector for Managed Instance has a requirements of 2048 and 3072 bits key.

 

In this case we are using BYOK and import this using this PowerShell scriptUse PowerShell to enable transparent data encryption - Azure SQL Managed Instance | Microsoft Learn

 
According to this documentation: CREATE CERTIFICATE (Transact-SQL) - SQL Server | Microsoft Lear  The Private Key must be <= 2500 bytes in encrypted format. Private keys generated by SQL Server are 1024 bits long through SQL Server 2014 (12.x) and are 2048 bits long beginning with SQL Server 2016 (13.x). Private keys imported from an external source have a minimum length of 384 bits and a maximum length of 4,096 bits. The length of an imported private key must be an integer multiple of 64 bits. Certificates used for TDE are limited to a private key size of 3456 bits.

 

We would like to share the options done to bypass this issue in the source database:

 

 
Published May 30, 2023
Version 1.0
No CommentsBe the first to comment