Jump to content
Free PC Help Forum
Logging In to Free PC Help Forum Has Changed

Lesson Learned #360: Unsupported Key Size or Key Type. The supported RSA Key Size is 2048 or 3072.

Guest Jose_Manuel_Jurado

By Guest Jose_Manuel_Jurado
in Microsoft Support & Discussions

 Share

Recommended Posts

Guest Jose_Manuel_Jurado

Guest Jose_Manuel_Jurado

Posted
Posted

We worked on a service request that our customer faced the following error message.

 

Failed to save Transparent Data Encryption settings for SQL resource: azmsqldbunuatcog01. Error message: The key vault provided 'https://XYZ.vault.azure.net/keys/XYZ1/fdXXXXX on server 'ServerName' uses unsupported Key Size or Key Type. The supported RSA Key Size is 2048 or 3072 and Key Type is RSA or RSA-HSM.

 

 

 

This issue occurs due to a difference of key size between SQL Server 2014 TDE and Azure SQL Managed Instance TDE. In this situation we have a SQL Server 2014 on-prem instance protected with TDE 1024 bits. We want to migrate to Azure SQL Managed Instance, but the issue is that TDE protector for Managed Instance has a requirements of 2048 and 3072 bits key.

 

 

 

In this case we are using BYOK and import this using this PowerShell script: Use PowerShell to enable transparent data encryption - Azure SQL Managed Instance | Microsoft Learn

 

 

According to this documentation: CREATE CERTIFICATE (Transact-SQL) - SQL Server | Microsoft Lear The Private Key must be <= 2500 bytes in encrypted format. Private keys generated by SQL Server are 1024 bits long through SQL Server 2014 (12.x) and are 2048 bits long beginning with SQL Server 2016 (13.x). Private keys imported from an external source have a minimum length of 384 bits and a maximum length of 4,096 bits. The length of an imported private key must be an integer multiple of 64 bits. Certificates used for TDE are limited to a private key size of 3456 bits.

 

 

 

We would like to share the options done to bypass this issue in the source database:

 

 

 

 

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...