TDE BYOK and Geo-Replication in Azure SQL DB


Recently a customer asked me for help with setting up a test of an Azure SQL Database in the single database tier with Geo-Replication to work with Transparent Data Encryption (TDE) with a customer-managed key, also known as Bring Your Own Key (BYOK). It is very simple to do it when you use service-managed keys, the default with regular TDE, but there are some catches when it comes to TDE BYOK.

Keep in mind it is strongly recommended to allow the Azure service to manage this key unless you and your company are fully aware of what is involved with