Azure-docs: HA/DR for single database
The doc says this: "it is highly recommended to configure the server to use two different key vaults in two different regions with the same key material"
Does this mean in the event of an outage with KV in one region that there are manual steps that need to be taken to configure the existing SQL server to use the secondary KV? Or, is there a way to configure a single SQL server to use two Key Vaults so failover happens automatically?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 7600c6cf-0b4d-1ffa-c1bb-ebf23adafc1f
- Version Independent ID: 1ae4f15b-b978-882e-c5f4-d23522a53bb4
- Content: TDE - Azure Key Vault Integration or Bring Your Own Key (BYOK) - Azure SQL Database
- Content Source: articles/sql-database/transparent-data-encryption-byok-azure-sql.md
- Service: sql-database
- Sub-service: security
- GitHub Login: @aliceku
- Microsoft Alias: aliceku
dmarlow
All 5 comments
@dmarlow Azure Key Vault already has a feature that adds redundancy and availability. This is based on the paired region architecture for Key Vault. Here is the Document which explains this in detail:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-disaster-recovery-guidance
Here is more details for configuring TDE with Key Vault. Here is the link.
NavtejSaini-MSFT
on 20 Sep 2019
@dmarlow Please do get back to us if you have any additional questions or we will go ahead and close this thread by EOD.
NavtejSaini-MSFT
on 20 Sep 2019
I understand that KV is already redundant. The part I'm confused about is "configure the server to use two different key vaults". How can SQL be configured to use two different KVs? I thought a data encryption protector could only use a single KV key, and thereby a single KV.
dmarlow
on 20 Sep 2019
@dmarlow We are assigning this case to doc author for more insight into this.
@aliceku Please check the users question and clarify the doubts.
NavtejSaini-MSFT
on 20 Sep 2019
@dmarlow, at any moment there can be not more than one TDE protector set for a server. It's the key marked with "Make the key the default TDE protector" in the Azure portal blade. However, multiple additional keys can be linked to a server without marking them as a TDE protector. These keys are not used for protecting DEK, but can be used during restore from a backup, if backup file is encrypted with the key with the corresponding thumbprint.
Another role of such a key, when its parent key vault is located in another region, and if it holds the same key material as TDE protector, is to provide redundancy. If there is an outage affecting primary key vault, and only then, system will automatically switch to the other linked key with the same thumbprint in another key vault, if exists. Note though that this will not happen if TDE protector is inaccessible because of revoked access rights, or because key or key vault is deleted, as this may indicate that customer intentionally wanted to restrict server from accessing the key.
Thank you asking the question. We will update the article to make this clearer.
MladjoA
on 2 Nov 2019
Related issues
varma31
·
3Comments
JeffLoo-ong
·
3Comments
spottedmahn
·
3Comments
JamesDLD
·
3Comments
Agazoth
·
3Comments
Most helpful comment
@dmarlow, at any moment there can be not more than one TDE protector set for a server. It's the key marked with "Make the key the default TDE protector" in the Azure portal blade. However, multiple additional keys can be linked to a server without marking them as a TDE protector. These keys are not used for protecting DEK, but can be used during restore from a backup, if backup file is encrypted with the key with the corresponding thumbprint.
Another role of such a key, when its parent key vault is located in another region, and if it holds the same key material as TDE protector, is to provide redundancy. If there is an outage affecting primary key vault, and only then, system will automatically switch to the other linked key with the same thumbprint in another key vault, if exists. Note though that this will not happen if TDE protector is inaccessible because of revoked access rights, or because key or key vault is deleted, as this may indicate that customer intentionally wanted to restrict server from accessing the key.
Thank you asking the question. We will update the article to make this clearer.