Can I move my encryption key (used for SQL always encrypted) from a key vault in one Azure tenant to another?

R2Bleep2

7/28/23, 12:49 PM

We have migrated a database (backup to .bacpac and restore to the new tenant) but the database was encrypted using always encrypted and the key is stored in the original tenant's key vault. I can look at the data in SQL management studio by authenticating with the first tenant when it tries to decrypt (it automatically pops up the authentication dialog), but I need to move the key so my web app can access it too. Can it be migrated from one tenant to another, or is this going to become a manual process of exporting and re-importing the data?

0 + 0

encryption

sql

azure

Score:1

Server

R2Bleep2

8/19/23, 1:35 PM

An update on this: The short answer is yes, it's possible to move the keys from one tenant to another, but there's a caveat:

The tenant must exist in the same subscription. If it doesn't, you have to first transfer the tenant to the same subscription as the destination tenant you want the keys to be moved to - an account on both with sufficient rights is required to perform this step.
The entire key vault is migrated. the keys are tied to the vault and can't be used in another vault.

0 + 0

Carl in 't Veld

8/8/23, 6:07 PM

Could you change the wording of your answer a bit? In Azure vocabulary a tenant does not exist in a subscription. It is the other way around: a tenant owns possibly multiple subscriptions. I assume for your migration use case it is required that both the source subscription as well as the target subscription reside in the same tenant?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can I move my encryption key (used for SQL always encrypted) from a key vault in one Azure tenant to another?

TH: ฉันสามารถย้ายคีย์การเข้ารหัสของฉัน (ใช้สำหรับ SQL ที่เข้ารหัสเสมอ) จากที่เก็บคีย์ในผู้เช่า Azure หนึ่งไปยังอีกที่หนึ่งได้หรือไม่

RO: Îmi pot muta cheia de criptare (folosită pentru SQL întotdeauna criptat) dintr-un seif de chei dintr-un chiriaș Azure în altul?

RU: Можно ли переместить свой ключ шифрования (используемый для всегда зашифрованного SQL) из хранилища ключей в одном клиенте Azure в другой?

VI: Tôi có thể di chuyển khóa mã hóa của mình (được sử dụng cho SQL luôn được mã hóa) từ một kho khóa trong một đối tượng thuê Azure này sang một đối tượng thuê Azure khác không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.