Open asrichesson opened 11 months ago
asrichesson
commented
11 months ago Additionally, only changing the column encryption key and redeploying yields the following error:
There is already a column encryption key value associated with the column master key 'CMK_Auto1'
DBarmanMS
commented
9 months ago I'd like to get some more info about what you are trying to achieve. If it is CMK/CEK rotation then we've a guide for that using other tools which are much easier to use for this specific purpose - https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/rotate-always-encrypted-keys-using-ssms?view=sql-server-ver16.
asrichesson
commented
9 months ago @DBarmanMS I'm trying to get automated pipeline deployments working for column encryption. We have situations where devs do not have direct permissions to modify a database so they can't use ssms or powershell. Additionally, we'd like to use automated deployments to minimize human error. We use sqlpackage for our database deployments including initial column encryption.
| Reading this makes me think that I should expect sqlpackage to decrypt and re-encrypt columns. | Condition | Action |
|---|---|---|
| The column is encrypted both in the DACPAC and the database, but the column in the DACPAC uses a different encryption type or/and a different column encryption key than the corresponding column in the database. | The data in the column will be decrypted and then re-encrypted to match the encryption configuration in the DACPAC. |
DBarmanMS
commented
9 months ago The errors that you are facing is due to an existing CEK which uses the CMK with the same name that you are trying to create using the dacpac. Please try key rotation in a fresh DB and change the CEK/CMK name while generating the new dacpac.
Steps to Reproduce:
Example SQLProject: Demo.zip
Did this occur in prior versions? If not - which version(s) did it work in?
(DacFx/SqlPackage/SSMS/Azure Data Studio)