Appendix B: Migrate from software-based TDE to TDE with EKM
Step-by-step migration from software-based TDE to EKM-protected TDE in SQL Server.
Transparent Data Encryption (TDE) in SQL Server utilizes a database encryption key (DEK), a symmetric key that encrypts the data. By default, this DEK is protected by a server certificate (the “software-stored” key) in the master database. However, SQL Server also supports protecting the DEK with an external HSM-managed asymmetric key via Extensible Key Management (EKM). In other words, the DEK can be wrapped by either a certificate or an EKM-backed key. It is indeed possible to switch an existing software-based TDE-enabled database to TDE with EKM. The process simply re-wraps (rotates) the DEK under the new key. Rotating the TDE protector is an online operation that only decrypts and re-encrypts the DEK, not the entire database. This means the data stays encrypted with the same symmetric key, preserving continuity.
Let’s assume your current database is called legacyDB, and it’s encrypted with a DEK protected by a software certificate (which is SQL Server’s default when TDE is initially enabled). Our goal: rewrap that DEK under EkmAsym without re-encrypting the data.
Before proceeding with the steps below, ensure you have completed the steps outlined in
Here’s the migration procedure:
1
Verify Current Encryption State
Sql
SELECT db.name, dek.encryption_state, dek.encryptor_typeFROM sys.dm_database_encryption_keys dekJOIN sys.databases db ON dek.database_id = db.database_idWHERE db.name = 'legacyDB';
Look for:
encryption_state = 3 → means “encrypted”
encryptor_type = CERTIFICATE → this confirms it’s using the software certificate
2
Back Up the Current CertificateIt is highly recommended to backup the current certificate in case you need to decrypt older backups:
Sql
USE master;GOBACKUP CERTIFICATE YourCurrentTDECert TO FILE = 'C:\Backup\YourCurrentTDECert.cer' WITH PRIVATE KEY ( FILE = 'C:\Backup\YourCurrentTDECert_PrivateKey.pvk', ENCRYPTION BY PASSWORD = 'someStrongPassword123!');GO
Replace YourCurrentTDECert with the actual certificate name from:
Sql
SELECT name FROM sys.certificates WHERE pvt_key_encryption_type_desc = 'BY_MASTER_KEY';
3
Rewrap the DEK with the EkmAsym key created on the KMES through EKM in the Enable TDE in Microsoft SQL Server by using EKM section.
Sql
USE legacyDB;GOALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY EkmAsym;GO
This rewraps the existing DEK under EkmAsym. SQL Server does not generate a new DEK - it just updates the protector.You can verify the switch by running this command again:
Sql
SELECT db.name, dek.encryption_state, dek.encryptor_typeFROM sys.dm_database_encryption_keys dekJOIN sys.databases db ON dek.database_id = db.database_idWHERE db.name = 'EmployeeDB';
Expected result:
encryption_state = 3 → means “encrypted”
encryptor_type = ASYMMETRIC KEY → this confirms it’s using the EKM-stored key
Was this page helpful?
⌘I
Assistant
Responses are generated using AI and may contain mistakes.
