Rotate encryption keys with the Vault EKM provider

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

Both the database encryption key and Vault Transit's asymmetric key can be rotated independently.

Database encryption key (DEK) rotation

To rotate the database encryption key, you can execute the following SQL query in Microsoft SQL Server Management Studio:

USE TestTDE;
GO

ALTER DATABASE ENCRYPTION KEY
REGENERATE WITH ALGORITHM = AES_256;
GO

SELECT * FROM sys.dm_database_encryption_keys;

Key encryption key (KEK) rotation

To rotate the asymmetric key in Vault's Transit, you can use the standard /rotate endpoint:

$ vault write -f transit/keys/ekm-encryption-key/rotate

After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption key with the newest version of the Vault key by creating a new asymmetric key:

use master;
GO

CREATE ASYMMETRIC KEY TransitVaultAsymmetricV2
FROM PROVIDER TransitVaultProvider
WITH CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'ekm-encryption-key';


CREATE CREDENTIAL TransitVaultTDECredentialsV2
    WITH IDENTITY = '<approle-role-id>',
    SECRET = '<approle-secret-id>'
FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
GO

CREATE LOGIN TransitVaultTDELoginV2 FROM ASYMMETRIC KEY TransitVaultAsymmetricV2;

use TestTDE;
go

ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetricV2;