backport of commit 3d01a88 (#16041)

Co-authored-by: Christopher Swenson <swenson@swenson.io>
hashicorp · Jun 17, 2022 · 46e0ecc · 46e0ecc
1 parent 5f8a2cf
commit 46e0ecc
Showing 1 changed file with 42 additions and 4 deletions.
diff --git a/website/content/docs/platform/mssql/installation.mdx b/website/content/docs/platform/mssql/installation.mdx
@@ -49,8 +49,8 @@ EKM provider to use it.
 1. Retrieve the AppRole ID and secret ID for use later when configuring SQL Server:
 
     ```bash
-    vault read auth/approle/role/ekm-encryption-key-role/role-id
-    vault write -f auth/approle/role/ekm-encryption-key-role/secret-id
+    vault read auth/approle/role/tde-role/role-id
+    vault write -f auth/approle/role/tde-role/secret-id
     ```
 
 1. Enable the transit secret engine and create a key:
@@ -136,8 +136,8 @@ installation.
     ```sql
     -- Replace <approle-role-id> and <approle-secret-id> with the values from
     -- the earlier vault commands:
-    -- vault read auth/approle/role/ekm-encryption-key-role/role-id
-    -- vault write -f auth/approle/role/ekm-encryption-key-role/secret-id
+    -- vault read auth/approle/role/tde-role/role-id
+    -- vault write -f auth/approle/role/tde-role/secret-id
     CREATE CREDENTIAL TransitVaultCredentials
         WITH IDENTITY = '<approle-role-id>',
         SECRET = '<approle-secret-id>'
@@ -207,3 +207,41 @@ installation.
         encryptor_type, encryption_state_desc, encryption_scan_state_desc FROM sys.dm_database_encryption_keys k;
 
     ```
+
+## Key Rotation
+
+Both the database encryption key and Vault Transit's asymmetric key can be rotated independently.
+
+To rotate the database encryption key, you can execute the
+[following SQL query](https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-database-encryption-key-transact-sql?view=azuresqldb-current)
+in Microsoft SQL Server Management Studio:
+
+```sql
+USE TestTDE;
+GO
+
+ALTER DATABASE ENCRYPTION KEY
+REGENERATE WITH ALGORITHM = AES_256;
+GO
+
+SELECT * FROM sys.dm_database_encryption_keys;
+```
+
+To rotate the asymmetric key in Vault's Transit, you can use the standard
+[`/rotate`](/api-docs/secret/transit#rotate-key) endpoint:
+
+```shell-session
+$ vault write -f transit/keys/ekm-encryption-key/rotate
+```
+
+After rotating the Vault asymmetric key, you can force SQL Server to re-encrypt the database encryption
+key with the newest version of the Vault key with:
+
+```sql
+USE TestTDE;
+GO
+
+ALTER DATABASE ENCRYPTION KEY
+ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetric;
+GO
+```