Configure SQL Server
This is Part: 4 of a 4-part blog series:
After setting up Azure Active Directory and registering the AAD Application and additionally creating an Azure Key Vault, the next st...
Updated May 29, 2020
Version 3.0
Blog Post
So the credential that was created (is Step 4) is associatedwith the TDE_Login (in Step 9).
It is the credential that SQL uses to contact AKV. Via the Azure Active Directory Application (from Part 2)
This whole process is confusing and complicated. (Written years ago - way before my time).
I've tried simplifying it and not having to swap credentials and logins... but in order to get the Asym key, we need to go through all of these steps.
I believe the database uses the TDE_Login (with the attached Credential) to contact AKV... it all happens under the covers so not much to discuss in this article and no way for me to see how that functions. I know if you do not create the TDE_Login, there is no wayfor the Encryption Provider to get the credentials to access AKV.
And your last question: Yes, once TDE is enabled, you can not configure anything (opther than enabling/disabling inStep 12)
ALTER DATABASE TestTDE
SET ENCRYPTION ON;
Hope this helps.