How to Make use of CMK TDE instead of SMK for MI databases and restore CMK TDE DB from MI to on-prem
Вставка
- Опубліковано 5 вер 2024
- In this Video I have shown how to make use of Customer Managed Key for our Azure Managed Instance Database instead of Service Master key which is the default. As you know if we opt for SMK all the keys and credentials will be with Microsoft and the rotation of keys as well will be taken care by them. However due to tighten security if your company doesn't allow us to make use of SMK then we need to bring in our own keys which is nothing but CMK.
When you need to make use of CMK we need to have idea on how to make use of Azure key Vault and how to integrate Azure Key Vault with Azure AD APP and finally to restore the DB from Managed instance to on-premises you should know how to make use of SQL Server connector for Azure Key Vault.
Some Key Points:
--------------------------------------
1) We are allowed to take only copy only backups on Azure MI.
2) if you tried to take backup of any database which is SMK protected then we need to turn of TDE otherwise you will get the below error message
The backup operation for a database with service-managed transparent data encryption is not supported on sql database managed instance.
3) If you have CMK then you are allowed to take copy-only backups with out Turning off TDE.
