Automated key rotation for TDE BYOK is now generally available for Azure SQL!
Published Aug 24 2022 12:18 AM 4,376 Views

Updated on 10/26/22

Transparent data encryption (TDE)  in Azure SQL Database and Managed Instance helps protect against the threat of malicious offline activity by encrypting data at rest.  TDE with Customer-Managed Key (CMK) enables Bring Your Own Key (BYOK) scenario for data protection at rest, by allowing a key stored in a customer-owned and customer-managed Azure Key Vault to be used as the TDE Protector on the server or managed instance. 


When using TDE with Customer-Managed Key, one of the important responsibilities that customers need to perform on a regular basis is key rotation, that is, rotating the TDE Protector on the server by switching to a new key (or new version of the earlier key) from Azure Key Vault. Key rotation is a critical activity for an organization that is required to meet security and compliance objectives. 


Automated key rotation for Azure SQL Database and Managed Instance is now generally available, simplifying key management responsibilities for customers. 


How does automated key rotation work 


Automated rotation can be enabled when configuring Customer Managed Key (TDE protector) on an existing server or managed instance. When a particular key from Azure Key Vault is set as the TDE Protector for the server and auto-rotation is enabled, the server continuously checks the key vault for new versions of the key being used as the TDE protector. If a new version of the key is detected, the TDE protector on the server is automatically rotated to the latest key version. 


Automated rotation in Azure SQL can be used together with automated key rotation in Azure Key Vault. Customers can configure a rotation policy on the key in their key vault to schedule automated rotation for the key, that is, a new version of the key will get automatically generated at a specified frequency. With automated rotation enabled in Azure SQL, the new key version gets automatically set as the TDE Protector for the server or managed instance. This enables end-to-end zero-touch key rotation for customers using TDE with CMK in Azure SQL.   


Quick steps to configure automatic rotation of TDE Protector on Azure SQL logical server 


  1.  Use the Azure Portal to enable autorotation for the TDE Protector on the server 
    (see the snapshot below for Azure SQL logical server with entries indicated by the red rectangles)  



  1.   Use the Set-AzSqlServerTransparentDataEncryptionProtector PowerShell cmdlet to enable auto-rotation for the TDE Protector on the server. 


Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId <keyVaultKeyId> `   -ServerName <logicalServerName> -ResourceGroup <SQLDatabaseResourceGroupName> `    -AutoRotationEnabled true 


Apart from Azure Portal and PowerShell, automated rotation can also be enabled via REST API, CLI and Azure Portal. 


Similar support is provided for Managed Instance. 


Learn More 

  1. Automated rotation of TDE Protector -
  2. Geo-replication considerations when enabling automated rotation –
  3. Tutorial for automatic key rotation in Azure SQL -
  4. Configure cryptographic key auto-rotation in Azure Key Vault - Configure cryptographic key auto-rotation in Azure Key Vault | Microsoft Docs


Automated key rotation further streamlines the Customer Managed Key experience for customers and organizations, providing simplified and flexible key management while removing the overhead of manually rotating keys, along with allowing better adherence to security and compliance guidelines w.r.t. key rotation policies. 



Version history
Last update:
‎Oct 26 2022 04:50 PM
Updated by: