locked
Azure SQL Managed Instance BYOK - different key for each database RRS feed

  • Question

  • I have an Azure SQL Managed Instance with TDE enabled and using a database encryption key (DEK) from my Azure Key Vault. I am wondering how I can achieve the following scenario:

    Two databases in one SQL Managed Instance. Database A uses my own DEK from Azure Key Vault. My friend granted me access to his DEK from his Azure Key Vault, and I want Database B to use this DEK instead.

    Is this possible? Is it even possible in SQL Server on-premises?

    Monday, August 26, 2019 5:28 PM

All replies

  • Hi noamo48

    As the following documement refers, the TDE protector is set at the instance level and all the DB's in that instance are encrypted. So the scenario you are referring to is not possible.

    https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql

    The Document says
    "For Azure SQL Managed Instance, the TDE protector is set at the instance level and it is inherited by all encrypted databases on that instance. The term server refers both to server and instance throughout this document, unless stated differently"

    You can definitely add your idea to Azure SQL managed instance User Voice to help other people vote on it and additionally the product team to prioritize the feature request.

    Hope this helps. Please get back to us if you have any other question.

    Thanks
    Navtej S

    Monday, August 26, 2019 6:29 PM
  • Hi Noamo48

    We have proposed our last reply as the answer. Please review and get back to us if any other question or mark the reply as an answer so that  others can get the help from the same.

    Thanks
    Navtej S

    Wednesday, August 28, 2019 2:21 PM