Restore a DB encrypted with a TDE key into a server/instance having a different encryption key

Published Oct 23 2020 09:55 AM 2,136 Views

If you need to restore a database that was encrypted with a TDE (transparent data encryption) customer-managed key into a server that is encrypted with a different key, you can follow the steps below:


  1. If necessary, restore the TDE customer-managed key that was used to encrypt the database you will restore into the Azure Key Vault (AKV) you intend to use.


  1. On the “Transparent data encryption” blade of the target server/instance, click on “change key” and select the key with which the source backup was encrypted:




  1. Uncheck the “Make the selected key the default TDE protector” and save. By unchecking the key as TDE Protector, you will add the key to the server/instance without changing the encryption key of Its databases:



Note: They key was changed from thlemes-sqldb-k to thlemes-key2


  1. After the operation completes, you will see the key you selected in ‘Key’, but with the ‘Make the selected key the default TDE protector’ unchecked:




  1. However, if you refresh the page, It will show again the TDE Protector key:




This is because the TDE Protector key wasn’t changed and It’s shown by default in the Portal. However, after adding the source key as non-TDE Protector, you will be able to successfully perform the restore from the source backup into the target server/instance.


Although you can’t see the keys that are not the TDE Protector in the Portal, you can list them using REST API:


SQL Managed Instance:

SQL Server:


There is also a REST API command to delete the key if you need to, as you can see in the links above.


1 Comment
Regular Visitor

Ok, this is for Azure SQL. Using an on-premise SQL server on a VM in Azure I have to recreate the chain, Mapped AsyKey -> DEK, using a credential/login and set the thumbprint of the mapped key to the same value as the source SQL Server that performed the backup with the Key (I obviously must have this key in vault).

My question...

In the vault the function "New Version" of the key exists. It sets a new version number and marks it as "current version" and the older as "older version". You can decide to set them enabled or disabled. If I encrypt a DB using a version and do some bakups and then I create a new version of the key I can recrypt the DEK using new version and this works but I cannot restore any backup made with older version of the key also if it is enabled. I cannot restore them even if I set enable only the "version" used to make the backups. SQL returns me an error in the encryption. I'd like to know if this "New version" function is supported by SQL IaaS in order to rotate the keys or if I must necessarily create a new key every time I need to rotate and preserve the older until I could have need it for my backups.    

Version history
Last update:
‎Oct 23 2020 09:55 AM
Updated by: