I'm referring to TDE encryption.
When we regenerate the DEK or create a new certificate and encrypt using certificate, does it decrypt/reencrypt the data itself?
Without decryption how can it change a key?
When you regenerate a DEK you can track progress in sys.dm_database_encryption_keys
column encryption_state=4 (Key change in progress), then all data from the DB must be decrypted and encrypted using a new key. eg:
ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_128;
When you change only the certificate that protect DEK only DEK is decrypted and encrypted by using a new key. DEK keys aren't changed and there is no need to decrypt and encrypt all data in DB
alter DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER CERTIFICATE NewCert;