Swapping TDE Cert Slow, any way to improve performance?
https://dba.stackexchange.com/questions/183225
-
08-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Fair warning, I am very new to encryption with DBs. Right now we use the following statement to swap certificates when in the process backing/restoring DBs between servers:
ALTER DATABASE ENCRYPTION KEY REGENERATE
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE....
This is working perfectly fine but the issue is that the amount of time it takes to change the certificate through this statement. I've noticed that it can take more than an hour to change the certificate for DBs that are >100GB.
Is there a faster way to change TDE Certificates that anyone knows of?
Solution
Is there a faster way to change TDE Certificates that anyone knows of?
If you're actually needing to change the certificate that is doing the encryption (it protects the data) then the only faster way is to get a faster disk subsystem, new motherboard/cpus that support AESNI, and upgrade to SQL Server 2016.
If, however, you don't need to rotate the actual encrypting key but one of the protecting keys (Server Cert in this case, not the DEK) it's a very short mostly but not all metadata operation that can be accomplished via ALTER DATABASE ENCRYPTION KEY [Blah] ENCRYPTION BY SERVER CERTIFICATE [Blah2]. That will change the server certificate used to protect the DEK which will be extremely fast as the physical data does not need to be decrypted and encrypted again using the new DEK.
