Set old version of Key as SQL TDE protector is not working

Jonathan Friedrich 1 Reputation point
2021-11-18T09:26:40.173+00:00

Hello,

I am currently testing TDE with BYOK.
During testing I deleted my key that was used as TDE protector for my test sql database server.

As expected, the database wasnt reachable anymore.

Now I set a completely new key as TDE protector.
As expected, the server still had trouble reaching keyVault.

Now I restored the deleted key and created a new version of it.

Via Azure Portal I selected the keyvault, the correct key and the old version of the key which was used earlier as TDE protector.

When clicking validate Key, the sql server automatically grabs the latest version of the key instead of the selected version.
Same when trying via Azure cli.
Due to that, the database cannot recover.

Is that a bug or intended feature? I wasn t able to find anything in the documentation

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,135 questions
Azure SQL Database
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CRB-INFORMATIQUE-2814 1 Reputation point
    2021-11-18T11:43:22.697+00:00

    IL N'Y A PAS LIEU DE S'INQUIETER LA KLEY N'AI QU'UNE SIGNATURE ET LA BASE NE SE PERDS PAS.

    0 comments
  2. GeethaThatipatri-MSFT 27,717 Reputation points Microsoft Employee
    2021-11-23T21:58:24.26+00:00

    @Jonathan Friedrich "Disable" the current version, re-try selecting the older version of the key, and see if that resolves your issue.
    To disable a Key version you just have to select the key and right-click the version to disable.
    Also, find this useful document on the TDE protector.

    152015-image.png