I have implemented Always Encrypted feature in SQL Server 2016. The CMK is valid for one year. How do I renew it, or extend the validity?
Sql-server – How to renew or extend the CMK Certificate in Always Encrypted feature
always-encryptedsql serversql-server-2016
Related Question
- SQL Server 2016 Encryption – Clarification on Always Encrypted
- Sql-server – Error 71501, 71561 while encrypting columns using always encrypted feature of SQL Server 2016
- SQL Server 2016 – Encrypt Data, Log, and Backup Files Using Always Encrypted
- Sql-server – How to rotate the CMK of Always Encrypted using SSMS
- SQL Server – How to Create Always Encrypted Certificate for Specific Time Period
- SQL Server 2016 – Encrypt varbinary(max) Column Using Always Encrypted Feature
- SQL Server 2016 – Always Encrypted Certificate Clarification
- SQL Server Backup – Handling Always Encrypted Feature
Best Answer
Always encrypted does not check for validity of the CMK certificate explicitly. Always Encrypted treats the CMK certificate purely as (PK, SK) pair. so you can use the expired cert without running into any issues. However, the best practice is to rotate the CMK at regular intervals. Always Encrypted provides a mechanism to rotate CMK without incurring any application downtime. Please read the following official articles for details.
Article 1
Article 2
How to do CMK rotation without powershell: