dcsimg
Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Tips Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
SQL Scripts & Samples
Tips
» Database Forum
» Slideshows
» Sitemap
Free Newsletters:
DatabaseDaily  

By submitting your information, you agree that databasejournal.com may send you databasejournal offers via email, phone and text message, as well as email offers about other products and services that databasejournal believes may be of interest to you. databasejournal will process your information in accordance with the Quinstreet Privacy Policy.

News Via RSS Feed


Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database User and Programming Tips

Posted February 1, 2018

WEBINAR:
On-Demand

Building the Right Environment to Support AI, Machine Learning and Deep Learning


How to Move a TDE Encryption Key to Another SQL Server Instance

By Greg Larsen

If you have a database backup of a Transparent Data Encryption (TDE) enabled database, the database backup will contain encrypted data.   Because the database backup contains encrypted data you can’t just restore it to any instance.  You can only restore the database backup to an instance that contains the same certificate used to originally encrypt the database.   

If you want to restore an encrypted database backup to a new instance you need to import the certificate from the source instance where the encrypted backup was created.   Here are the steps it takes to copy the original certificate to the instance where the TDE enabled backup will be restored.    

Step 1: Verify that there is a Database Master Key

In this step you need to verify that the target server for the restore has a Database Master Key created.  To verify that the Database Master key exists you can run the following TSQL code:

USE master;
SELECT name FROM sys.symmetric_keys
WHERE name LIKE '%DatabaseMasterKey%';

If a Database Master Key exists, then the above code will return the name of the Database Master key.  If the Database Master Key doesn’t exist, then you can create it with the following TSQL code:  

USE master;
GO
CREATE MASTER KEY ENCRYPTION
       BY PASSWORD='Provide Strong Password Here For Database Master Key';
GO

Step 2: Generate the Certificate Backup from Source Instance

In order to move a TDE encrypted database to another instance you need to have a backup of the certificate that was used to encrypt the TDE enabled database being moved.  Hopefully when TDE was set up on the source server a certificate backup was taken.  If not, then you can run this TSQL code on the source instance to create a certificate backup and a private key file:

USE master;
GO
BACKUP CERTIFICATE TDE_CERT_For_MyData
TO FILE = 'C:\temp\TDE_Cert_For_MyData.cer'                                                          
WITH PRIVATE KEY (file='C:\temp\TDE_CertKey.pvk',
ENCRYPTION BY PASSWORD='Provide Strong Password for Backup Here');

This code backs up the certificate name TDE_CERT_for_MyData and creates two files.  The first file TDE_Cert_For_MyDate.cer contains the backup of the certificate.  The second file TDE_CertKey.pvk contains the private key.

Step 3: Restore Certificate to the Target instance

This code can be used to restore the certificate backup.

USE master;
GO
CREATE CERTIFICATE TDECert
  FROM FILE = 'C:\temp\TDE_Cert_For_MyData.cer'
  WITH PRIVATE KEY ( 
    FILE = N'C:\temp\TDE_CertKey.pvk',
 DECRYPTION BY PASSWORD = 'Provide Strong Password for Backup Here'
  );
GO

Once the target instance contains the certificate that was used to encrypt the database being restored, then you will be able to restore your TDE enabled database backup to the target instance.

See all articles by Greg Larsen



Database User and Programming Tips Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.