From ade85bb69e12b540a34380be90f86011492a10ca Mon Sep 17 00:00:00 2001 From: Luke Calderon Date: Wed, 3 Jul 2024 10:48:38 +0100 Subject: [PATCH 1/3] Add note to geo-replicated SQL MI with CMK --- .../database/transparent-data-encryption-byok-key-rotation.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md index 06547180641..523f7e75b91 100644 --- a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md +++ b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md @@ -188,6 +188,9 @@ Using the [Azure portal](https://portal.azure.com): When the key is rotated on the primary server, it's automatically transferred to the secondary server. +> [!NOTE] +> If the same key vault key on the **primary** server is used as the default TDE protector on the secondary server, then ensure **Auto-rotate key** is enabled for **both** servers. Failure to do so may lead to the auto-rotation workflows entering an error state, and prevent further manual key rotation operations. + # [PowerShell](#tab/azure-powershell-geo) The `` can be [retrieved from Key Vault](/azure/key-vault/keys/quick-create-portal#retrieve-a-key-from-key-vault). From 4ba5fb3574ed73b42f6dbcfe8c7ee479ed4bf492 Mon Sep 17 00:00:00 2001 From: Luke Calderon Date: Wed, 3 Jul 2024 10:50:18 +0100 Subject: [PATCH 2/3] Update metadata date --- .../database/transparent-data-encryption-byok-key-rotation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md index 523f7e75b91..2015eabf38d 100644 --- a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md +++ b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md @@ -5,7 +5,7 @@ description: Learn how to rotate the Transparent data encryption (TDE) protector author: GithubMirek ms.author: mireks ms.reviewer: wiassaf, vanto, mathoma -ms.date: 01/16/2024 +ms.date: 07/03/2024 ms.service: sql-db-mi ms.subservice: security ms.topic: how-to From 6c8245b15a49b409f20064a99c75eeafe0306cf0 Mon Sep 17 00:00:00 2001 From: Van To <40007119+VanMSFT@users.noreply.github.com> Date: Thu, 11 Jul 2024 07:49:38 -0700 Subject: [PATCH 3/3] Update azure-sql/database/transparent-data-encryption-byok-key-rotation.md --- .../database/transparent-data-encryption-byok-key-rotation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md index 2015eabf38d..a88fe878a7f 100644 --- a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md +++ b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md @@ -189,7 +189,7 @@ Using the [Azure portal](https://portal.azure.com): When the key is rotated on the primary server, it's automatically transferred to the secondary server. > [!NOTE] -> If the same key vault key on the **primary** server is used as the default TDE protector on the secondary server, then ensure **Auto-rotate key** is enabled for **both** servers. Failure to do so may lead to the auto-rotation workflows entering an error state, and prevent further manual key rotation operations. +> If the same key vault key on the primary server is used as the default TDE protector on the secondary server, ensure **Auto-rotate key** is enabled for **both** servers. Failure to do so may lead to the auto-rotation workflows entering an error state and prevent further manual key rotation operations. # [PowerShell](#tab/azure-powershell-geo)