Fix compromised TDE protector guidance: rotate before deleting

The remove-tde-protector article previously said 'it's best to delete
the key' when compromise is suspected. This leads to self-inflicted
database outages without revoking any backup copies of the key.

Updated to recommend rotating to a new TDE protector and migrating all
databases before deleting the old key. Added warning that deleting or
disabling a key does not invalidate backup copies restored to other
vaults. Cross-linked to Key Vault backup security considerations.

Related to MSRC Case 113198.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: msmbaldwin

azure-sql/database/transparent-data-encryption-byok-overview.md

@@ -5,7 +5,7 @@ description: Bring Your Own Key (BYOK) support for transparent data encryption (
 author: Pietervanhove
 ms.author: pivanho
 ms.reviewer: wiassaf, vanto, mathoma, randolphwest
-ms.date: 03/05/2026
+ms.date: 04/22/2026
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: concept-article
@@ -217,7 +217,7 @@ Auditors can use Azure Monitor to review managed HSM AuditEvent logs, if logging
 
 - Keep all previously used keys in Azure Key Vault or Azure Managed HSM even after switching to service-managed keys. It ensures database backups can be restored with the TDE protectors stored in Azure Key Vault or Azure Managed HSM. TDE protectors created with Azure Key Vault or Azure Managed HSM have to be maintained until all remaining stored backups have been created with service-managed keys. Make recoverable backup copies of these keys using [Backup-AzKeyVaultKey](/powershell/module/az.keyvault/backup-azkeyvaultkey).
 
-- To remove a potentially compromised key during a security incident without the risk of data loss, follow the steps in the article [Remove a Transparent Data Encryption (TDE) protector using PowerShell](transparent-data-encryption-byok-remove-tde-protector.md).
+- To remove a potentially compromised key during a security incident without the risk of data loss, follow the steps in the article [Remove a Transparent Data Encryption (TDE) protector using PowerShell](transparent-data-encryption-byok-remove-tde-protector.md). Always rotate to a new TDE protector and verify that all databases are using the new key before deleting or disabling the compromised key. Deleting or disabling the key without rotating first causes all encrypted databases to become inaccessible, and does not invalidate any key copies that were previously backed up and restored to another vault.
 
 > [!TIP]
 > **Using versioned and versionless Azure Key Vault keys for TDE**

azure-sql/database/transparent-data-encryption-byok-remove-tde-protector.md

@@ -5,7 +5,7 @@ description: Learn how to respond to a potentially compromised TDE protector for
 author: Pietervanhove
 ms.author: pivanho
 ms.reviewer: wiassaf, vanto, mathoma
-ms.date: 03/05/2026
+ms.date: 04/22/2026
 ms.service: azure-sql-database
 ms.subservice: security
 ms.topic: how-to
@@ -24,7 +24,7 @@ This article describes how to respond to a potentially compromised TDE protect f
 > [!CAUTION]
 > The procedures outlined in this article should only be done in extreme cases or in test environments. Review the steps carefully, as deleting actively used TDE protectors from Azure Key Vault will result in **database becoming unavailable**.
 
-If a key is ever suspected to be compromised, such that a service or user had unauthorized access to the key, it's best to delete the key.
+If a key is ever suspected to be compromised, such that a service or user had unauthorized access to the key, the recommended response is to first rotate to a new TDE protector and migrate all databases before deleting the old key. Deleting or disabling a key without first rotating the TDE protector causes all encrypted databases to become inaccessible. In addition, deleting or disabling a key does not invalidate any copies that were previously backed up and restored to another vault. Those copies remain fully functional. For more information about Key Vault backup copy behavior, see [Backup security considerations](/azure/key-vault/general/backup#security-considerations).
 
 Keep in mind that once the TDE protector is deleted in Azure Key Vault, in up to 10 minutes, all encrypted databases will start denying all connections with the corresponding error message and change its state to [Inaccessible](./transparent-data-encryption-byok-overview.md#inaccessible-tde-protector).