I am setting up roles as a layer of protection inside of MSSQL. One of the roles will only have the ability to change database encryption keys for TDE on the database server. The server will be using EKM to supply the keys.
I have not been able to find the exact process to exchange the keys with EKM. Since I can't find the process, I can't give the roles the permissions it needs.
Right now, I have granted CONTROL permissions on certificates and asymmetric keys at the database level. I am assuming that this will be necessary.
Does anyone know if there are any server level permissions required to change the database encryption key? I believe that the user will at least need to have access to which keys are located in EKM.
Best Answer
ALTER DATABASE ENCRYPTION KEY
Requires CONTROL permission on the database and VIEW DEFINITION permission on the certificate or asymmetric key that is used to encrypt the database encryption key.
You must also add view definition according to MSDN.
https://msdn.microsoft.com/en-us/library/bb630389%28v=sql.110%29.aspx