scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: Add how to rotate SQL Server key (#15993)

Browse Source
This commit is contained in:
Christopher Swenson
2022-06-17 08:59:27 -07:00
committed by GitHub
parent b853cddf54
commit 3d01a88e61
1 changed files with 42 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
website/content/docs/platform/mssql/installation.mdx
View File

@@ -49,8 +49,8 @@ EKM provider to use it.
1. Retrieve the AppRole ID and secret ID for use later when configuring SQL Server:
```bash
vault read auth/approle/role/ekm-encryption-key-role/role-id
vault write -f auth/approle/role/ekm-encryption-key-role/secret-id
vault read auth/approle/role/tde-role/role-id
vault write -f auth/approle/role/tde-role/secret-id
```
1. Enable the transit secret engine and create a key:
@@ -136,8 +136,8 @@ installation.
```sql
-- Replace <approle-role-id> and <approle-secret-id> with the values from
-- the earlier vault commands:
-- vault read auth/approle/role/ekm-encryption-key-role/role-id
-- vault write -f auth/approle/role/ekm-encryption-key-role/secret-id
-- vault read auth/approle/role/tde-role/role-id
-- vault write -f auth/approle/role/tde-role/secret-id
CREATE CREDENTIAL TransitVaultCredentials
WITH IDENTITY = '<approle-role-id>',
SECRET = '<approle-secret-id>'
@@ -207,3 +207,41 @@ installation.
encryptor_type, encryption_state_desc, encryption_scan_state_desc FROM sys.dm_database_encryption_keys k;
```
## Key Rotation
Both the database encryption key and Vault Transit's asymmetric key can be rotated independently.
To rotate the database encryption key, you can execute the
[following SQL query](https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-database-encryption-key-transact-sql?view=azuresqldb-current)
in Microsoft SQL Server Management Studio:
```sql
USE TestTDE;
GO
ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_256;
GO
SELECT * FROM sys.dm_database_encryption_keys;
```
To rotate the asymmetric key in Vault's Transit, you can use the standard
[`/rotate`](/api-docs/secret/transit#rotate-key) endpoint:
```shell-session
$ vault write -f transit/keys/ekm-encryption-key/rotate
```
After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption
key with the newest version of the Vault key with:
```sql
USE TestTDE;
GO
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetric;
GO
```