Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Tips Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS Access
SQL Scripts & Samples
» Database Forum
» Slideshows
Free Newsletters:

News Via RSS Feed

Database Journal |DBA Support |SQLCourse |SQLCourse2

Featured Database Articles


Posted February 1, 2018

How to Move a TDE Encryption Key to Another SQL Server Instance

By Greg Larsen

If you have a database backup of a Transparent Data Encryption (TDE) enabled database, the database backup will contain encrypted data.   Because the database backup contains encrypted data you can’t just restore it to any instance.  You can only restore the database backup to an instance that contains the same certificate used to originally encrypt the database.   

If you want to restore an encrypted database backup to a new instance you need to import the certificate from the source instance where the encrypted backup was created.   Here are the steps it takes to copy the original certificate to the instance where the TDE enabled backup will be restored.    

Step 1: Verify that there is a Database Master Key

In this step you need to verify that the target server for the restore has a Database Master Key created.  To verify that the Database Master key exists you can run the following TSQL code:

USE master;
SELECT name FROM sys.symmetric_keys
WHERE name LIKE '%DatabaseMasterKey%';

If a Database Master Key exists, then the above code will return the name of the Database Master key.  If the Database Master Key doesn’t exist, then you can create it with the following TSQL code:  

USE master;
       BY PASSWORD='Provide Strong Password Here For Database Master Key';

Step 2: Generate the Certificate Backup from Source Instance

In order to move a TDE encrypted database to another instance you need to have a backup of the certificate that was used to encrypt the TDE enabled database being moved.  Hopefully when TDE was set up on the source server a certificate backup was taken.  If not, then you can run this TSQL code on the source instance to create a certificate backup and a private key file:

USE master;
TO FILE = 'C:\temp\TDE_Cert_For_MyData.cer'                                                          
WITH PRIVATE KEY (file='C:\temp\TDE_CertKey.pvk',
ENCRYPTION BY PASSWORD='Provide Strong Password for Backup Here');

This code backs up the certificate name TDE_CERT_for_MyData and creates two files.  The first file TDE_Cert_For_MyDate.cer contains the backup of the certificate.  The second file TDE_CertKey.pvk contains the private key.

Step 3: Restore Certificate to the Target instance

This code can be used to restore the certificate backup.

USE master;
  FROM FILE = 'C:\temp\TDE_Cert_For_MyData.cer'
    FILE = N'C:\temp\TDE_CertKey.pvk',
 DECRYPTION BY PASSWORD = 'Provide Strong Password for Backup Here'

Once the target instance contains the certificate that was used to encrypt the database being restored, then you will be able to restore your TDE enabled database backup to the target instance.

See all articles by Greg Larsen

MS SQL Archives

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Latest Forum Threads
MS SQL Forum
Topic By Replies Updated
SQL 2005: SSIS: Error using SQL Server credentials poverty 3 August 17th, 07:43 AM
Need help changing table contents nkawtg 1 August 17th, 03:02 AM
SQL Server Memory confifuration bhosalenarayan 2 August 14th, 05:33 AM
SQL Server – Primary Key and a Unique Key katty.jonh 2 July 25th, 10:36 AM