patternsqlMinor
Replacing SQL Server TDE soon expiring certificate
Viewed 0 times
sooncertificatesqltdereplacingserverexpiring
Problem
What is the best way to replace a soon expiring certificate? Downtime should be avoided. Databases size is 100GB.
Solution
If the certificate expires TDE will continue to work so don't panic there but you should still replace it to keep with your security policy. Because the certificate is used to encrypt the Database Encryption Key (DEK) and not the data, it is quite easy to change the certificate.
Create or import a new certificate and then use it to encrypt the DEK.
UPDATE
I made a mistake in my code above. It is not possible to alter the encryption algorithm and the certificate used in one statement. This was not required anyway so the following code is sufficient:
Create or import a new certificate and then use it to encrypt the DEK.
ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_256 --Your choice of algorithm may be different
ENCRYPTION BY SERVER CERTIFICATE 'YourNewCertificate';UPDATE
I made a mistake in my code above. It is not possible to alter the encryption algorithm and the certificate used in one statement. This was not required anyway so the following code is sufficient:
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER CERTIFICATE YourNewCertificate;
GOCode Snippets
ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_256 --Your choice of algorithm may be different
ENCRYPTION BY SERVER CERTIFICATE 'YourNewCertificate';ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER CERTIFICATE YourNewCertificate;
GOContext
StackExchange Database Administrators Q#151094, answer score: 4
Revisions (0)
No revisions yet.