Managed Database Transparent Data Encryption - Create Or Update

Updates a database's transparent data encryption configuration.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/managedInstances/{managedInstanceName}/databases/{databaseName}/transparentDataEncryption/current?api-version=2021-11-01

URI Parameters

Name In Required Type Description
databaseName
path True

string

The name of the managed database for which the security alert policy is defined.

managedInstanceName
path True

string

The name of the managed instance.

resourceGroupName
path True

string

The name of the resource group that contains the resource. You can obtain this value from the Azure Resource Manager API or the portal.

subscriptionId
path True

string

The subscription ID that identifies an Azure subscription.

tdeName
path True

TransparentDataEncryptionName

The name of the transparent data encryption configuration.

api-version
query True

string

The API version to use for the request.

Request Body

Name Required Type Description
properties.state True

TransparentDataEncryptionState

Specifies the state of the transparent data encryption.

Responses

Name Type Description
200 OK

ManagedTransparentDataEncryption

Successfully updated the database Transparent Data Encryption state.

201 Created

ManagedTransparentDataEncryption

Successfully created the database transparent data encryption state.

Other Status Codes

*** Error Responses: ***

  • 400 SecurityAdalPrincipalCertExpiredError - The operation could not be completed because the Azure Key Vault principal certificate has expired.

  • 400 AkvHostNotResolvingFromNode - AKV host '{0}' is not resolvable from SQL, on server '{1}'.

  • 400 SecurityInvalidAzureKeyVaultRecoveryLevel - The provided Key Vault uri is not valid.

  • 400 KeyMaterialNotFoundOnRemoteServer - Remote server does not have access to key material used as a TDE protector.

  • 400 AzureKeyVaultRsaKeyNotSupported - The provided key vault uses unsupported RSA Key Size or Key Type. The supported RSA key size is 2048 or 3072 and Key Type is RSA or RSA-HSM.

  • 400 AzureKeyVaultKeyDisabled - The operation could not be completed on the server because the Azure Key Vault key is disabled.

  • 400 AzureKeyVaultInvalidExpirationDate - The operation could not be completed because the Azure Key Vault key expiration date is invalid.

  • 400 SameKeyUriNotFoundOnRemoteServer - Secondary server does not have the key material from the same key vault as the primary server's encryption protector with key auto-rotation enabled.

  • 400 SecurityAzureKeyVaultUrlNullOrEmpty - The operation could not be completed because the Azure Key Vault Uri is null or empty.

  • 400 SameKeyMaterialNotFoundOnRemoteServer - Secondary server does not have the key material of the primary server's encryption protector.

  • 400 PerDatabaseCMKRestoreNotSupported - Database restore is not supported when Database-level CMK is configured in preview.

  • 400 AzureKeyVaultNoServerIdentity - The server identity is not correctly configured.

  • 400 PerDatabaseCMKHSNotSupported - Database-level CMK in preview is not supported for Hyperscale edition.

  • 400 AzureKeyVaultInvalidUri - An invalid response from Azure Key Vault. Please use a valid Azure Key Vault URI.

  • 400 AzureKeyVaultMissingPermissions - The server is missing required permissions on the Azure Key Vault.

  • 400 UmiMissingAkvPermissions - PrimaryUserAssignedIdentityId provided by user does not have access to KeyId provided

  • 400 AkvEndpointNotReachableFromNode - AKV endpoint '{0}' is not reachable from SQL, on server '{1}'.

  • 400 SecurityAzureKeyVaultInvalidKeyName - The operation could not be completed because of an invalid Server Key name.

  • 400 AdalGenericError - The operation could not be completed because an Azure Active Directory error was encountered.

  • 400 AdalServicePrincipalNotFound - The operation could not be completed because an Azure Active Directory library Service Principal not found error was encountered.

  • 400 AzureKeyVaultMalformedVaultUri - The provided Key Vault uri is not valid.

  • 400 SecurityAzureKeyVaultGeoChainError - Creating secondary of secondary (a process known as chaining) is not supported when enabling Transparent Data Encryption using Azure Key Vault (BYOK).

  • 400 PerDatabaseCMKDWNotSupported - Database-level CMK in preview is not supported for Datawarehouse edition.

  • 400 ReadOnly - Cannot enable or modify database encryption on a database that is read-only, has read-only files or is not recovered.

  • 400 CanNotDropAlterOnMirror - Please modify Transparent Data Encryption on the primary databases.

  • 400 AttemptedEncryptionOnSystemDatabase - Cannot encrypt a system database. Database encryption operations cannot be performed for 'master', 'model', 'tempdb', 'msdb', or 'resource' databases.

  • 400 InvalidTransparentDataEncryptionUpdateRequest - Please enter a valid state. Please use "Enabled" or "Disabled".

  • 400 InvalidTransparentDataEncryptionName - The transparent data encryption key name is not supported.

  • 401 CanNotChangeReadOnlyDuringTdeScan - Cannot modify filegroup read-only/read-write state while an encryption transition is in progress.

  • 409 ServerKeyNameAlreadyExists - The server key already exists on the server.

  • 409 ServerKeyUriAlreadyExists - The server key URI already exists on the server.

  • 409 ServerKeyDoesNotExists - The server key does not exist.

  • 409 AzureKeyVaultKeyNameNotFound - The operation could not be completed because the Azure Key Vault Key name does not exist.

  • 409 AzureKeyVaultKeyInUse - The key is currently being used by the server.

  • 409 NeedsLogBackup - Please wait several minutes for a log backup to occur.

  • 409 EncryptionInProgress - Cannot modify encryption while an encryption scan in progress.

  • 409 KeyChangeInProgress - Cannot change database encryption key while an encryption, decryption, or key change scan is in progress.

  • 409 NoBulkOperationLock - CREATE/ALTER/DROP DATABASE ENCRYPTION KEY failed because a lock could not be placed on database. Try again later.

  • 409 AltStateConflict - The operation cannot be performed on database because it is involved in a database mirroring session or an availability group. Some operations are not allowed on a database that is participating in a database mirroring session or in an availability group.

  • 503 AzureKeyVaultConnectionFailed - The operation could not be completed on the server because attempts to connect to Azure Key Vault have failed

  • 503 AzureKeyVaultGenericConnectionError - The operation could not be completed because an error was encountered when attempting to retrieve Key Vault information .

  • 503 NoDekLock - CREATE/ALTER/DROP DATABASE ENCRYPTION KEY failed because a lock could not be placed on the database. Try again later.

Examples

Update a database's Transparent Data Encryption state with minimal parameters

Sample request

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/securitytde-42-rg/providers/Microsoft.Sql/managedInstances/securitytde-42/databases/testdb/transparentDataEncryption/current?api-version=2021-11-01

{
  "properties": {
    "state": "Enabled"
  }
}

Sample response

{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/securitytde-42-rg/providers/Microsoft.Sql/managedInstances/securitytde-42/databases/testdb/transparentDataEncryption",
  "name": "current",
  "type": "Microsoft.Sql/managedInstance/databases/transparentDataEncryption",
  "properties": {
    "state": "Enabled"
  }
}
{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/securitytde-42-rg/providers/Microsoft.Sql/managedInstances/securitytde-42/databases/testdb/transparentDataEncryption",
  "name": "current",
  "type": "Microsoft.Sql/managedInstance/databases/transparentDataEncryption",
  "properties": {
    "state": "Enabled"
  }
}

Definitions

Name Description
ManagedTransparentDataEncryption

A managed database transparent data encryption state.

TransparentDataEncryptionName

The name of the transparent data encryption configuration.

TransparentDataEncryptionState

Specifies the state of the transparent data encryption.

ManagedTransparentDataEncryption

A managed database transparent data encryption state.

Name Type Description
id

string

Resource ID.

name

string

Resource name.

properties.state

TransparentDataEncryptionState

Specifies the state of the transparent data encryption.

type

string

Resource type.

TransparentDataEncryptionName

The name of the transparent data encryption configuration.

Name Type Description
current

string

TransparentDataEncryptionState

Specifies the state of the transparent data encryption.

Name Type Description
Disabled

string

Enabled

string