Turn TDE off when restoring SQL databasesLost DMK encryption password for master databaseHow do I backup/restore database encryption key in order to restore on new serverMoving TDE database to a new database but having problems with the certTDE restored DB encryption stateDatabases in Suspect state after enabling TDERestoring MS SQL TDE database questionRestoring development database from production backup triggered production database to restore as wellSQL Server TDE - Database backups and post restore behaviour

Does Swashbuckler's Fancy Footwork apply if the attack was made with Booming Blade?

Is it safe to remove the bottom chords of a series of garage roof trusses?

Was Switzerland really impossible to invade during WW2?

Can you be convicted for being a murderer twice?

Was this pillow joke on Friends intentional or a mistake?

Ask for a paid taxi in order to arrive as early as possible for an interview within the city

Why would the US President need briefings on UFOs?

How does turbine efficiency compare with internal combustion engines if all the turbine power is converted to mechanical energy?

Don't understand MOSFET as amplifier

Was 'help' pronounced starting with a vowel sound?

How can I support the recycling, but not the new production of aluminum?

Importing ES6 module in LWC project (sfdx)

Are thrust levers synchronized by default when pushed/pulled?

Can pay be witheld for hours cleaning up after closing time?

Shouldn't the "credit score" prevent Americans from going deeper and deeper into personal debt?

Taking out number of subarrays from an array which contains all the distinct elements of that array

Dark side of an exoplanet - if it was earth-like would its surface light be detectable?

Most practical knots for hitching a line to an object while keeping the bitter end as tight as possible, without sag?

Overwrite file only if data

Why doesn't mathematics collapse even though humans quite often make mistakes in their proofs?

How to create a summation symbol with a vertical bar?

Should my "average" PC be able to discern the potential of encountering a gelatinous cube from subtle clues?

Does adding the 'precise' tag to daggers break anything?

Can you feel passing through the sound barrier in an F-16?



Turn TDE off when restoring SQL databases


Lost DMK encryption password for master databaseHow do I backup/restore database encryption key in order to restore on new serverMoving TDE database to a new database but having problems with the certTDE restored DB encryption stateDatabases in Suspect state after enabling TDERestoring MS SQL TDE database questionRestoring development database from production backup triggered production database to restore as wellSQL Server TDE - Database backups and post restore behaviour






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








3















We are just getting started with TDE. Eventually it will be in our Prod SQL Server environment and two major non-prod environments, but currently it is only in one non-prod system.



My question is about restoring these databases. We have several other environments (Enterprise and Standard Edition) and an offsite vendor that we sometimes send database backups to. For those, we will either have to use an intermediary server to turn TDE off before restoring, or back up with different keys.



But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment. Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward? I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?



I did the following in our non-prod environment consisting of two database instances on different VMs:



On instance 1:



  1. Enabled TDE on the database DBA,

  2. Backed up the cert, key, and database,

  3. Restored the backup of DBA to a new database DBA2,

  4. Backed up the database DBA2,
    On instance 2:

  5. Copied the DBA2 backup from instance 1,

  6. Restored DBA2.

Note that I did not create any certs or keys for DBA2, not did I copy any DBA certs and keys from instance 1 to 2.



Instance 2 has its own unrelated DBA database with TDE certs and keys. TDE is not enabled on DBA2 after restore.



So it seems like:



  1. the instance 1 DBA key got carried over into DBA2 in step 3, and

  2. the restore may have used the DBA key from instance 2 in step 6, even though instance 1's DBA and instance2's DBA are separate entities.

Here is the encryption status on these databases:



 SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length
FROM sys.dm_database_encryption_keys
where db_name(database_id) like 'DBA%'


Instance 1:



dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
DBA2 3 0 AES 256


Instance 2:



dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256









share|improve this question
















migrated from stackoverflow.com 7 hours ago


This question came from our site for professional and enthusiast programmers.



















  • If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?

    – Ben Thul
    3 hours ago











  • I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...

    – BrianC
    2 hours ago

















3















We are just getting started with TDE. Eventually it will be in our Prod SQL Server environment and two major non-prod environments, but currently it is only in one non-prod system.



My question is about restoring these databases. We have several other environments (Enterprise and Standard Edition) and an offsite vendor that we sometimes send database backups to. For those, we will either have to use an intermediary server to turn TDE off before restoring, or back up with different keys.



But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment. Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward? I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?



I did the following in our non-prod environment consisting of two database instances on different VMs:



On instance 1:



  1. Enabled TDE on the database DBA,

  2. Backed up the cert, key, and database,

  3. Restored the backup of DBA to a new database DBA2,

  4. Backed up the database DBA2,
    On instance 2:

  5. Copied the DBA2 backup from instance 1,

  6. Restored DBA2.

Note that I did not create any certs or keys for DBA2, not did I copy any DBA certs and keys from instance 1 to 2.



Instance 2 has its own unrelated DBA database with TDE certs and keys. TDE is not enabled on DBA2 after restore.



So it seems like:



  1. the instance 1 DBA key got carried over into DBA2 in step 3, and

  2. the restore may have used the DBA key from instance 2 in step 6, even though instance 1's DBA and instance2's DBA are separate entities.

Here is the encryption status on these databases:



 SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length
FROM sys.dm_database_encryption_keys
where db_name(database_id) like 'DBA%'


Instance 1:



dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
DBA2 3 0 AES 256


Instance 2:



dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256









share|improve this question
















migrated from stackoverflow.com 7 hours ago


This question came from our site for professional and enthusiast programmers.



















  • If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?

    – Ben Thul
    3 hours ago











  • I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...

    – BrianC
    2 hours ago













3












3








3








We are just getting started with TDE. Eventually it will be in our Prod SQL Server environment and two major non-prod environments, but currently it is only in one non-prod system.



My question is about restoring these databases. We have several other environments (Enterprise and Standard Edition) and an offsite vendor that we sometimes send database backups to. For those, we will either have to use an intermediary server to turn TDE off before restoring, or back up with different keys.



But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment. Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward? I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?



I did the following in our non-prod environment consisting of two database instances on different VMs:



On instance 1:



  1. Enabled TDE on the database DBA,

  2. Backed up the cert, key, and database,

  3. Restored the backup of DBA to a new database DBA2,

  4. Backed up the database DBA2,
    On instance 2:

  5. Copied the DBA2 backup from instance 1,

  6. Restored DBA2.

Note that I did not create any certs or keys for DBA2, not did I copy any DBA certs and keys from instance 1 to 2.



Instance 2 has its own unrelated DBA database with TDE certs and keys. TDE is not enabled on DBA2 after restore.



So it seems like:



  1. the instance 1 DBA key got carried over into DBA2 in step 3, and

  2. the restore may have used the DBA key from instance 2 in step 6, even though instance 1's DBA and instance2's DBA are separate entities.

Here is the encryption status on these databases:



 SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length
FROM sys.dm_database_encryption_keys
where db_name(database_id) like 'DBA%'


Instance 1:



dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
DBA2 3 0 AES 256


Instance 2:



dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256









share|improve this question
















We are just getting started with TDE. Eventually it will be in our Prod SQL Server environment and two major non-prod environments, but currently it is only in one non-prod system.



My question is about restoring these databases. We have several other environments (Enterprise and Standard Edition) and an offsite vendor that we sometimes send database backups to. For those, we will either have to use an intermediary server to turn TDE off before restoring, or back up with different keys.



But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment. Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward? I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?



I did the following in our non-prod environment consisting of two database instances on different VMs:



On instance 1:



  1. Enabled TDE on the database DBA,

  2. Backed up the cert, key, and database,

  3. Restored the backup of DBA to a new database DBA2,

  4. Backed up the database DBA2,
    On instance 2:

  5. Copied the DBA2 backup from instance 1,

  6. Restored DBA2.

Note that I did not create any certs or keys for DBA2, not did I copy any DBA certs and keys from instance 1 to 2.



Instance 2 has its own unrelated DBA database with TDE certs and keys. TDE is not enabled on DBA2 after restore.



So it seems like:



  1. the instance 1 DBA key got carried over into DBA2 in step 3, and

  2. the restore may have used the DBA key from instance 2 in step 6, even though instance 1's DBA and instance2's DBA are separate entities.

Here is the encryption status on these databases:



 SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length
FROM sys.dm_database_encryption_keys
where db_name(database_id) like 'DBA%'


Instance 1:



dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
DBA2 3 0 AES 256


Instance 2:



dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256






sql-server transparent-data-encryption






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 6 hours ago







BrianC

















asked 8 hours ago









BrianCBrianC

165 bronze badges




165 bronze badges





migrated from stackoverflow.com 7 hours ago


This question came from our site for professional and enthusiast programmers.











migrated from stackoverflow.com 7 hours ago


This question came from our site for professional and enthusiast programmers.









migrated from stackoverflow.com 7 hours ago


This question came from our site for professional and enthusiast programmers.














  • If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?

    – Ben Thul
    3 hours ago











  • I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...

    – BrianC
    2 hours ago

















  • If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?

    – Ben Thul
    3 hours ago











  • I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...

    – BrianC
    2 hours ago
















If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?

– Ben Thul
3 hours ago





If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?

– Ben Thul
3 hours ago













I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...

– BrianC
2 hours ago





I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...

– BrianC
2 hours ago










2 Answers
2






active

oldest

votes


















4















But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




There is an entire Docs article on this. Let us know if you have specific questions.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.




I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.




If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.




Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.






share|improve this answer

























  • Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.

    – BradC
    5 hours ago











  • Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.

    – BrianC
    5 hours ago












  • @BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.

    – BradC
    5 hours ago











  • @BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.

    – Sean Gallardy
    4 hours ago











  • @BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.

    – Sean Gallardy
    4 hours ago


















1















But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.



In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.



It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?




No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).



Some useful queries:



SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'


Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.



SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;


Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).






share|improve this answer



























  • The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.

    – BrianC
    5 hours ago











  • @BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?

    – BradC
    5 hours ago











  • Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...

    – BrianC
    4 hours ago












  • According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')

    – BrianC
    4 hours ago











  • @BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.

    – Sean Gallardy
    4 hours ago













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "182"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f245807%2fturn-tde-off-when-restoring-sql-databases%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









4















But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




There is an entire Docs article on this. Let us know if you have specific questions.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.




I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.




If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.




Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.






share|improve this answer

























  • Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.

    – BradC
    5 hours ago











  • Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.

    – BrianC
    5 hours ago












  • @BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.

    – BradC
    5 hours ago











  • @BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.

    – Sean Gallardy
    4 hours ago











  • @BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.

    – Sean Gallardy
    4 hours ago















4















But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




There is an entire Docs article on this. Let us know if you have specific questions.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.




I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.




If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.




Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.






share|improve this answer

























  • Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.

    – BradC
    5 hours ago











  • Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.

    – BrianC
    5 hours ago












  • @BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.

    – BradC
    5 hours ago











  • @BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.

    – Sean Gallardy
    4 hours ago











  • @BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.

    – Sean Gallardy
    4 hours ago













4












4








4








But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




There is an entire Docs article on this. Let us know if you have specific questions.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.




I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.




If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.




Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.






share|improve this answer














But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




There is an entire Docs article on this. Let us know if you have specific questions.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.




I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.




If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.




Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.







share|improve this answer












share|improve this answer



share|improve this answer










answered 5 hours ago









Sean GallardySean Gallardy

19.2k2 gold badges29 silver badges56 bronze badges




19.2k2 gold badges29 silver badges56 bronze badges















  • Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.

    – BradC
    5 hours ago











  • Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.

    – BrianC
    5 hours ago












  • @BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.

    – BradC
    5 hours ago











  • @BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.

    – Sean Gallardy
    4 hours ago











  • @BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.

    – Sean Gallardy
    4 hours ago

















  • Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.

    – BradC
    5 hours ago











  • Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.

    – BrianC
    5 hours ago












  • @BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.

    – BradC
    5 hours ago











  • @BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.

    – Sean Gallardy
    4 hours ago











  • @BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.

    – Sean Gallardy
    4 hours ago
















Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.

– BradC
5 hours ago





Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.

– BradC
5 hours ago













Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.

– BrianC
5 hours ago






Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.

– BrianC
5 hours ago














@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.

– BradC
5 hours ago





@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.

– BradC
5 hours ago













@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.

– Sean Gallardy
4 hours ago





@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.

– Sean Gallardy
4 hours ago













@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.

– Sean Gallardy
4 hours ago





@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.

– Sean Gallardy
4 hours ago













1















But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.



In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.



It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?




No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).



Some useful queries:



SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'


Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.



SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;


Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).






share|improve this answer



























  • The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.

    – BrianC
    5 hours ago











  • @BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?

    – BradC
    5 hours ago











  • Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...

    – BrianC
    4 hours ago












  • According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')

    – BrianC
    4 hours ago











  • @BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.

    – Sean Gallardy
    4 hours ago















1















But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.



In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.



It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?




No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).



Some useful queries:



SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'


Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.



SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;


Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).






share|improve this answer



























  • The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.

    – BrianC
    5 hours ago











  • @BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?

    – BradC
    5 hours ago











  • Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...

    – BrianC
    4 hours ago












  • According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')

    – BrianC
    4 hours ago











  • @BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.

    – Sean Gallardy
    4 hours ago













1












1








1








But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.



In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.



It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?




No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).



Some useful queries:



SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'


Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.



SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;


Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).






share|improve this answer
















But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.




Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.



In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.



It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.




Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?




When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.




Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?




No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).



Some useful queries:



SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'


Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.



SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;


Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).







share|improve this answer














share|improve this answer



share|improve this answer








edited 5 hours ago

























answered 5 hours ago









BradCBradC

6,7226 gold badges34 silver badges68 bronze badges




6,7226 gold badges34 silver badges68 bronze badges















  • The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.

    – BrianC
    5 hours ago











  • @BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?

    – BradC
    5 hours ago











  • Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...

    – BrianC
    4 hours ago












  • According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')

    – BrianC
    4 hours ago











  • @BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.

    – Sean Gallardy
    4 hours ago

















  • The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.

    – BrianC
    5 hours ago











  • @BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?

    – BradC
    5 hours ago











  • Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...

    – BrianC
    4 hours ago












  • According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')

    – BrianC
    4 hours ago











  • @BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.

    – Sean Gallardy
    4 hours ago
















The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.

– BrianC
5 hours ago





The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.

– BrianC
5 hours ago













@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?

– BradC
5 hours ago





@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?

– BradC
5 hours ago













Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...

– BrianC
4 hours ago






Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...

– BrianC
4 hours ago














According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')

– BrianC
4 hours ago





According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')

– BrianC
4 hours ago













@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.

– Sean Gallardy
4 hours ago





@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.

– Sean Gallardy
4 hours ago

















draft saved

draft discarded
















































Thanks for contributing an answer to Database Administrators Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f245807%2fturn-tde-off-when-restoring-sql-databases%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單