Configure SQL Server
This is Part: 4 of a 4-part blog series:
After setting up Azure Active Directory and registering the AAD Application and additionally creating an Azure Key Vault, the next st...
Updated May 29, 2020
Version 3.0
Blog Post
Manju1175,
1. using SQL Server on premise you have to use connector version 1.0.5. This version allows (1.0.4 do not) you the key versioning. In AKV you can create a new version of the key or a new key, it does not matter. You have to create another credential in SQL Server and create a new asymmetric key with "WITH PROVIDER_KEY_NAME = '<key name>/<version>" if you use the versioning option. Otherwise you have to create another credential and another asymmetric key in standard way "WITH PROVIDER_KEY_NAME = '<key name>". Leave active all the keys you need on the vault, you have to disabile only when no DBs are encrypted by a key. Decrypt the DB with the old key (or previous version) and encrypt with the new one. At the end you can disable old version or old key.
2. do not delete any keys if you think you need it. If you have some old backup keep the key disabled but present. If you need to restore a backup made with a previous version or with an old key you have to re-enable it, create a credential and asy key in SQL and then use it to decrypt the backup and restore it.
3. no I do not think so.
4. if you use the key generated by AKV you cannot save and restore in another AKV. This guaranteeses security but if you lose the AKV you lose all the key. It is a remote event but it a possible event. You can generate your own keys and import in AKV. You can save it in a safe and restore to another AKV if you need.