With this release, you no longer need to reference a specific key version stored in Azure Key Vault or Managed HSM when configuring Transparent Data Encryption (TDE) with customer‑managed keys. Instead, Azure SQL Database now supports a versionless key URI, automatically using the latest enabled version of your key. This means:
- Simpler key management—no longer necessary to specify the key version.
- Reduced operational overhead by eliminating risks tied to outdated key versions.
- Full control remains with the customer.
This enhancement streamlines encryption at rest, especially for organizations operating at scale or enforcing strict security and compliance standards.
Versionless keys for TDE are available today across Azure SQL Database with no additional cost.
Versioned vs. Versionless Key URIs
To highlight the difference, here are real examples:
Versioned Key URI (old approach — explicit version required)
https://demotdeakv.vault.azure.net/keys/TDECMK/40acafb8a7034b20ba227905df090a1f
Versionless Key URI (new approach)
https://demotdeakv.vault.azure.net/keys/TDECMK
A versionless key URI references only the key name. Azure SQL Database automatically uses the newest enabled version of the key.
Learn more
Transparent Data Encryption - Azure SQL Database
Azure SQL transparent data encryption with customer-managed key
Transparent data encryption with customer-managed keys at the database level
Microsoft