I have Always encrypted using Azure key vault working on our on prem database using the full versioned key.
Reading the article below, in the "important" section it mentions "Target services should use versionless key uri to automatically refresh to latest version of the key" https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
Does this work for Always Encrypted?
I am able to create a versionless COLUMN MASTER KEY passing in KEY_PATH = N'https://mykeyvault.vault.azure.net/keys/VersionlessKey'
'''
I can generate an ENCRYPTED_VALUE and create a COLUMN ENCRYPTION KEY using the key vault URL in the COLUMN MASTER KEY. If I run the package to encrypt the data it works just fine.
When I add a new version to the key in the key vault the same ETL breaks. Here are the errors:
ERROR [CE018] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]The specified encrypted column encryption key signature does not match the signature computed with the column master key (certificate) in mykeyvaultURL
ERROR [CE202] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]The keystore provider AZURE_KEY_VAULT failed to decrypt the ECEK mykeyvaultURL with RSA_OAEP.
The idea here is to handle key vault key rotation/versioning as per our companies policy. It isnt ideal to have to decrypt all of the data before generating a new key and then re-encrypting it with the new version of the key.
Thanks in advance