Appendix B: Migrate from software-based TDE to TDE with EKM

transparent data encryption (tde) in sql server utilizes a database encryption key (dek) , a symmetric key that encrypts the data by default, this dek is protected by a server certificate (the “software stored” key) in the master database however, sql server also supports protecting the dek with an external hsm managed asymmetric key via extensible key management (ekm) in other words, the dek can be wrapped by either a certificate or an ekm backed key it is indeed possible to switch an existing software based tde enabled database to tde with ekm the process simply re wraps (rotates) the dek under the new key rotating the tde protector is an online operation that only decrypts and re encrypts the dek, not the entire database this means the data stays encrypted with the same symmetric key, preserving continuity migration steps let's assume your current database is called legacydb , and it's encrypted with a dek protected by a software certificate (which is sql server's default when tde is initially enabled) our goal rewrap that dek under ekmasym without re encrypting the data before proceeding with the steps below, ensure you have completed the steps outlined in enable tde in microsoft sql server by using ekm docid 26pf4zxujqurhckbyi2i5 here's the migration procedure verify current encryption state select db name, dek encryption state, dek encryptor type from sys dm database encryption keys dek join sys databases db on dek database id = db database id where db name = 'legacydb'; look for encryption state = 3 → means "encrypted" encryptor type = certificate → this confirms it’s using the software certificate back up the current certificate it is highly recommended to backup the current certificate in case you need to decrypt older backups use master; go backup certificate yourcurrenttdecert to file = 'c \backup\yourcurrenttdecert cer' with private key ( file = 'c \backup\yourcurrenttdecert privatekey pvk', encryption by password = 'somestrongpassword123!'); go replace yourcurrenttdecert with the actual certificate name from select name from sys certificates where pvt key encryption type desc = 'by master key'; rewrap the dek with the ekmasym key created on the kmes through ekm in the enable tde in microsoft sql server by using ekm docid 26pf4zxujqurhckbyi2i5 section use legacydb; go alter database encryption key encryption by server asymmetric key ekmasym; go this rewraps the existing dek under ekmasym sql server does not generate a new dek it just updates the protector you can verify the switch by running this command again select db name, dek encryption state, dek encryptor type from sys dm database encryption keys dek join sys databases db on dek database id = db database id where db name = 'employeedb'; expected result encryption state = 3 → means "encrypted" encryptor type = asymmetric key → this confirms it’s using the ekm stored key