If you have a database backup of a Transparent Data Encryption (TDE) enabled database, the database backup will contain encrypted data. Because the database backup contains encrypted data you can’t just restore it to any instance. You can only restore the database backup to an instance that contains the same certificate used to originally encrypt the database.
If you want to restore an encrypted database backup to a new instance you need to import the certificate from the source instance where the encrypted backup was created. Here are the steps it takes to copy the original certificate to the instance where the TDE enabled backup will be restored.
Step 1: Verify that there is a Database Master Key
In this step you need to verify that the target server for the restore has a Database Master Key created. To verify that the Database Master key exists you can run the following TSQL code:
SELECT name FROM sys.symmetric_keys
WHERE name LIKE '%DatabaseMasterKey%';
If a Database Master Key exists, then the above code will return the name of the Database Master key. If the Database Master Key doesn’t exist, then you can create it with the following TSQL code:
CREATE MASTER KEY ENCRYPTION
BY PASSWORD='Provide Strong Password Here For Database Master Key';
Step 2: Generate the Certificate Backup from Source Instance
In order to move a TDE encrypted database to another instance you need to have a backup of the certificate that was used to encrypt the TDE enabled database being moved. Hopefully when TDE was set up on the source server a certificate backup was taken. If not, then you can run this TSQL code on the source instance to create a certificate backup and a private key file:
BACKUP CERTIFICATE TDE_CERT_For_MyData
TO FILE = 'C:\temp\TDE_Cert_For_MyData.cer'
WITH PRIVATE KEY (file='C:\temp\TDE_CertKey.pvk',
ENCRYPTION BY PASSWORD='Provide Strong Password for Backup Here');
This code backs up the certificate name TDE_CERT_for_MyData and creates two files. The first file TDE_Cert_For_MyDate.cer contains the backup of the certificate. The second file TDE_CertKey.pvk contains the private key.
Step 3: Restore Certificate to the Target instance
This code can be used to restore the certificate backup.
CREATE CERTIFICATE TDECert
FROM FILE = 'C:\temp\TDE_Cert_For_MyData.cer'
WITH PRIVATE KEY (
FILE = N'C:\temp\TDE_CertKey.pvk',
DECRYPTION BY PASSWORD = 'APrivateKeyP4ssw0rd!'
Once the target instance contains the certificate that was used to encrypt the database being restored, then you will be able to restore your TDE enabled database backup to the target instance.
See all articles by Greg Larsen