How to Move a TDE Encryption Key to Another SQL Server Instance

If you have a database backup of a Transparent Data Encryption (TDE) enabled database, the database backup will contain encrypted data.   Because the database backup contains encrypted data you can’t just restore it to any instance.  You can only restore the database backup to an instance that contains the same certificate used to originally encrypt the database.   

If you want to restore an encrypted database backup to a new instance you need to import the certificate from the source instance where the encrypted backup was created.   Here are the steps it takes to copy the original certificate to the instance where the TDE enabled backup will be restored.    

Step 1: Verify that there is a Database Master Key

In this step you need to verify that the target server for the restore has a Database Master Key created.  To verify that the Database Master key exists you can run the following TSQL code:

USE master;
SELECT name FROM sys.symmetric_keys
WHERE name LIKE '%DatabaseMasterKey%';

If a Database Master Key exists, then the above code will return the name of the Database Master key.  If the Database Master Key doesn’t exist, then you can create it with the following TSQL code:  

USE master;
GO
CREATE MASTER KEY ENCRYPTION
       BY PASSWORD='Provide Strong Password Here For Database Master Key';
GO

Step 2: Generate the Certificate Backup from Source Instance

In order to move a TDE encrypted database to another instance you need to have a backup of the certificate that was used to encrypt the TDE enabled database being moved.  Hopefully when TDE was set up on the source server a certificate backup was taken.  If not, then you can run this TSQL code on the source instance to create a certificate backup and a private key file:

USE master;
GO
BACKUP CERTIFICATE TDE_CERT_For_MyData
TO FILE = 'C:tempTDE_Cert_For_MyData.cer'                                                          
WITH PRIVATE KEY (file='C:tempTDE_CertKey.pvk',
ENCRYPTION BY PASSWORD='Provide Strong Password for Backup Here');

This code backs up the certificate name TDE_CERT_for_MyData and creates two files.  The first file TDE_Cert_For_MyDate.cer contains the backup of the certificate.  The second file TDE_CertKey.pvk contains the private key.

Step 3: Restore Certificate to the Target instance

This code can be used to restore the certificate backup.

USE master;
GO
CREATE CERTIFICATE TDECert
  FROM FILE = 'C:tempTDE_Cert_For_MyData.cer'
  WITH PRIVATE KEY ( 
    FILE = N'C:tempTDE_CertKey.pvk',
 DECRYPTION BY PASSWORD = 'Provide Strong Password for Backup Here'
  );
GO

Once the target instance contains the certificate that was used to encrypt the database being restored, then you will be able to restore your TDE enabled database backup to the target instance.

See all articles by Greg Larsen

Gregory Larsen
Gregory Larsen
Gregory A. Larsen is a DBA at Washington State Department of Health (DOH). Greg is responsible for maintaining SQL Server and other database management software. Greg works with customers and developers to design and implement database changes, and solve database/application related problems. Greg builds homegrown solutions to simplify and streamline common database management tasks, such as capacity management.

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends & analysis

Latest Articles