Microsoft
MicrosoftThanks for the great article. I set this up in my environment, using the commands you provided. One important difference is that we don't have public access for any of our resources, including key vaults and Azure SQL Database. Therefore, I could not test it in the same way you did - because public access on our key vaults is already disabled. I therefore decided to test by deleting the TDE key (soft delete) in the primary vault. I expected that the SQL Server would automatically go to the secondary vault to find they key (which is in there). However, it didn't work. Instead, my database became inaccessible due to the SQL server not having a TDE key to use. I feel confident that I have it all set up properly - including permissions on both primary and secondary key vaults from both primary and secondary SQL Servers (in the Failover Group). I don't know what I'm doing wrong? Any ideas? A couple questions I have are:
1) How did you ensure SQL server has access to both Keys in the two different Azure key vaults? I did this by looking at my access policies. Is there another way?
2) I don't understand the NOTE in red. I see the checkbox on the TDE Encryption blade that says "Make this key the default TDE protector". It seems that should be checked on both the primary and secondary servers in the Failover Group, right? This seems separate from the primary and secondary key vaults that both contain copies of the key.
