Transparent Data Encryption: Re-encrypting Databases with New Certificates

  • I'm working on a TDE project where a new certificate will need to be re-issue on the server (every 6 months) and then re-encrypting the database with it. This may sound like a dumb question but does re-encrypting the database with the new certificate affect the database (i.e. leaving data unencrypted, etc.)? Does the database need to be off-line before I can re-encrypt it with the new certificate? I searched everywhere (google, sql servercentral) and can't seem to find an explanation for it. Any explanations/help will be appreciated!

    Ted

  • I think it depends on what you are doing. Are you wanting to regenrate the master key? Are you just wanting to regenate the DB Certificate? If you are just doing the DB certificate, then you would only have to drop the certificate and regenerate a new one. During that time (regeneration of your certificate), your DB Files would be vulnerable.

  • Andrew Theodore (2/15/2012)


    I think it depends on what you are doing. Are you wanting to regenrate the master key? Are you just wanting to regenate the DB Certificate? If you are just doing the DB certificate, then you would only have to drop the certificate and regenerate a new one. During that time (regeneration of your certificate), your DB Files would be vulnerable.

    I only want to regenerate the certificate (trusted). Running the script to create the new certificate and re-encrypting the database will not take long (less than a second) so I guess we'll be alright in terms of database and database file vulnerability. Unless anyone has any other ideas.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply