TDE High availability with customer-managed key for Azure SQL Databases
If the server loses access to the stored Database Encryption Key (DEK) in AKV, in up to 10 minutes a database will start denying all connections with the corresponding error message and change its state to Inaccessible. The only action allowed on a database in the Inaccessible state is deleting it. Thus, it's highly recommended to configure the server to use two different key vaults in two different regions with the same key material.Lesson Learned #360: Unsupported Key Size or Key Type. The supported RSA Key Size is 2048 or 3072.
We worked on a service request that our customer faced the following error message. Failed to save Transparent Data Encryption settings for SQL resource: azmsqldbunuatcog01. Error message: The key vault provided 'https://XYZ.vault.azure.net/keys/XYZ1/fdXXXXX on server 'ServerName' uses unsupported Key Size or Key Type. The supported RSA Key Size is 2048 or 3072 and Key Type is RSA or RSA-HSM.
