Press "Enter" to skip to content

Rotating TDE Certificates

Matthew McGiffen switches out a certificate:

In terms of encryption, Key Rotation is the process of replacing your encryption keys on a periodic basis. This is considered good practice and is required by many security certifications.

In practice, if you had to rotate/replace the key that is used to encrypt your data then that would be an intensive activity requiring all your data to be decrypted with the old key before being replaced with the new. This could also create a vulnerability where data sits in an unencrypted state during the process.

Instead, see what SQL Server does by reading Matthew’s blog post.