What's the limit of TDE certificates allowed in master database [SQL Server]

Question

Let's say I have a SQL instance with 10k databases that I want to enable TDE using different certificates for each database. Is there any kind of limit to creating certificates on master database? Will I be allowed to create 10k certificates or more?

Any help is appreciated. Thanks

Answer 1

Microsoft seems not to mention a specific limit for keys or certs, but for databases it is 32767 user databases per instance.

If you consider the TDE key hierarchy all databases have their own DEK, so it's naturally to assume that at least one (and with rollover) at least two keys are possible. (It would not make sense to specify a maximum for databases if they can't use all features like a DEK).

The DEKs might all be encrypted with a single database master certificate (or multiple, but you would not have one for each DB. But even if you would, since those are just stored in master database tables, I would not see a problem (besides heavy CPU usage on startup).