Is it possible to audit/log any attempts or actual changes to the keys used in the encryption hierarchy?
We are using 2014 Enterprise edition and have recently enabled TDE across our databases and would like to add changes the the encryption keys to our auditing.
As we have recently upgraded to enterprise edition to allow us to enable TDE, I wondered if SQL Server Audit would have this out of the box?
Best Answer
Turns out SQL Server Audit has this out of the box.
Querying the contents of sys.dm_audit_actions revealed all the audit actions available and the Audit action types that I needed to add to the audit
Once I added DATABASE_OBJECT_CHANGE_GROUP and SERVER_OBJECT_CHANGE_GROUP to my audit and enabled it they appeared in the log.