Azure SQL Managed Instance - Encrypt multiple db's with different asymmetric keys
The big blocker for us moving to Azure SQL Managed Instance is that we will not be able to provide our customers the option of BYOK.
We need to be able to set a separate asymmetric key as the TDE protector for each database, allowing our customers to set their own encryption key for their own database.
Right now, Managed Instances allows only setting one TDE protector per instance, not per database. We cannot be expected to pay for an additional instance for each database just to be able to encrypt each database with different keys. This is already possible in the on-premises version of SQL Server.