Turn TDE off when restoring SQL databasesLost DMK encryption password for master databaseHow do I backup/restore database encryption key in order to restore on new serverMoving TDE database to a new database but having problems with the certTDE restored DB encryption stateDatabases in Suspect state after enabling TDERestoring MS SQL TDE database questionRestoring development database from production backup triggered production database to restore as wellSQL Server TDE - Database backups and post restore behaviour
Does Swashbuckler's Fancy Footwork apply if the attack was made with Booming Blade?
Is it safe to remove the bottom chords of a series of garage roof trusses?
Was Switzerland really impossible to invade during WW2?
Can you be convicted for being a murderer twice?
Was this pillow joke on Friends intentional or a mistake?
Ask for a paid taxi in order to arrive as early as possible for an interview within the city
Why would the US President need briefings on UFOs?
How does turbine efficiency compare with internal combustion engines if all the turbine power is converted to mechanical energy?
Don't understand MOSFET as amplifier
Was 'help' pronounced starting with a vowel sound?
How can I support the recycling, but not the new production of aluminum?
Importing ES6 module in LWC project (sfdx)
Are thrust levers synchronized by default when pushed/pulled?
Can pay be witheld for hours cleaning up after closing time?
Shouldn't the "credit score" prevent Americans from going deeper and deeper into personal debt?
Taking out number of subarrays from an array which contains all the distinct elements of that array
Dark side of an exoplanet - if it was earth-like would its surface light be detectable?
Most practical knots for hitching a line to an object while keeping the bitter end as tight as possible, without sag?
Overwrite file only if data
Why doesn't mathematics collapse even though humans quite often make mistakes in their proofs?
How to create a summation symbol with a vertical bar?
Should my "average" PC be able to discern the potential of encountering a gelatinous cube from subtle clues?
Does adding the 'precise' tag to daggers break anything?
Can you feel passing through the sound barrier in an F-16?
Turn TDE off when restoring SQL databases
Lost DMK encryption password for master databaseHow do I backup/restore database encryption key in order to restore on new serverMoving TDE database to a new database but having problems with the certTDE restored DB encryption stateDatabases in Suspect state after enabling TDERestoring MS SQL TDE database questionRestoring development database from production backup triggered production database to restore as wellSQL Server TDE - Database backups and post restore behaviour
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
We are just getting started with TDE. Eventually it will be in our Prod SQL Server environment and two major non-prod environments, but currently it is only in one non-prod system.
My question is about restoring these databases. We have several other environments (Enterprise and Standard Edition) and an offsite vendor that we sometimes send database backups to. For those, we will either have to use an intermediary server to turn TDE off before restoring, or back up with different keys.
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment. Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward? I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
I did the following in our non-prod environment consisting of two database instances on different VMs:
On instance 1:
- Enabled TDE on the database DBA,
- Backed up the cert, key, and database,
- Restored the backup of DBA to a new database DBA2,
- Backed up the database DBA2,
On instance 2: - Copied the DBA2 backup from instance 1,
- Restored DBA2.
Note that I did not create any certs or keys for DBA2, not did I copy any DBA certs and keys from instance 1 to 2.
Instance 2 has its own unrelated DBA database with TDE certs and keys. TDE is not enabled on DBA2 after restore.
So it seems like:
- the instance 1 DBA key got carried over into DBA2 in step 3, and
- the restore may have used the DBA key from instance 2 in step 6, even though instance 1's DBA and instance2's DBA are separate entities.
Here is the encryption status on these databases:
SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length
FROM sys.dm_database_encryption_keys
where db_name(database_id) like 'DBA%'
Instance 1:
dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
DBA2 3 0 AES 256
Instance 2:
dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
sql-server transparent-data-encryption
asked 8 hours ago
BrianCBrianC
165 bronze badges
migrated from stackoverflow.com 7 hours ago
This question came from our site for professional and enthusiast programmers.
add a comment |
We are just getting started with TDE. Eventually it will be in our Prod SQL Server environment and two major non-prod environments, but currently it is only in one non-prod system.
My question is about restoring these databases. We have several other environments (Enterprise and Standard Edition) and an offsite vendor that we sometimes send database backups to. For those, we will either have to use an intermediary server to turn TDE off before restoring, or back up with different keys.
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment. Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward? I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
I did the following in our non-prod environment consisting of two database instances on different VMs:
On instance 1:
- Enabled TDE on the database DBA,
- Backed up the cert, key, and database,
- Restored the backup of DBA to a new database DBA2,
- Backed up the database DBA2,
On instance 2: - Copied the DBA2 backup from instance 1,
- Restored DBA2.
Note that I did not create any certs or keys for DBA2, not did I copy any DBA certs and keys from instance 1 to 2.
Instance 2 has its own unrelated DBA database with TDE certs and keys. TDE is not enabled on DBA2 after restore.
So it seems like:
- the instance 1 DBA key got carried over into DBA2 in step 3, and
- the restore may have used the DBA key from instance 2 in step 6, even though instance 1's DBA and instance2's DBA are separate entities.
Here is the encryption status on these databases:
SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length
FROM sys.dm_database_encryption_keys
where db_name(database_id) like 'DBA%'
Instance 1:
dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
DBA2 3 0 AES 256
Instance 2:
dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
sql-server transparent-data-encryption
asked 8 hours ago
BrianCBrianC
165 bronze badges
migrated from stackoverflow.com 7 hours ago
This question came from our site for professional and enthusiast programmers.
If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?
– Ben Thul
3 hours ago
I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...
– BrianC
2 hours ago
add a comment |
We are just getting started with TDE. Eventually it will be in our Prod SQL Server environment and two major non-prod environments, but currently it is only in one non-prod system.
My question is about restoring these databases. We have several other environments (Enterprise and Standard Edition) and an offsite vendor that we sometimes send database backups to. For those, we will either have to use an intermediary server to turn TDE off before restoring, or back up with different keys.
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment. Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward? I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
I did the following in our non-prod environment consisting of two database instances on different VMs:
On instance 1:
- Enabled TDE on the database DBA,
- Backed up the cert, key, and database,
- Restored the backup of DBA to a new database DBA2,
- Backed up the database DBA2,
On instance 2: - Copied the DBA2 backup from instance 1,
- Restored DBA2.
Note that I did not create any certs or keys for DBA2, not did I copy any DBA certs and keys from instance 1 to 2.
Instance 2 has its own unrelated DBA database with TDE certs and keys. TDE is not enabled on DBA2 after restore.
So it seems like:
- the instance 1 DBA key got carried over into DBA2 in step 3, and
- the restore may have used the DBA key from instance 2 in step 6, even though instance 1's DBA and instance2's DBA are separate entities.
Here is the encryption status on these databases:
SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length
FROM sys.dm_database_encryption_keys
where db_name(database_id) like 'DBA%'
Instance 1:
dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
DBA2 3 0 AES 256
Instance 2:
dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
sql-server transparent-data-encryption
asked 8 hours ago
BrianCBrianC
165 bronze badges
We are just getting started with TDE. Eventually it will be in our Prod SQL Server environment and two major non-prod environments, but currently it is only in one non-prod system.
My question is about restoring these databases. We have several other environments (Enterprise and Standard Edition) and an offsite vendor that we sometimes send database backups to. For those, we will either have to use an intermediary server to turn TDE off before restoring, or back up with different keys.
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment. Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward? I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
I did the following in our non-prod environment consisting of two database instances on different VMs:
On instance 1:
- Enabled TDE on the database DBA,
- Backed up the cert, key, and database,
- Restored the backup of DBA to a new database DBA2,
- Backed up the database DBA2,
On instance 2: - Copied the DBA2 backup from instance 1,
- Restored DBA2.
Note that I did not create any certs or keys for DBA2, not did I copy any DBA certs and keys from instance 1 to 2.
Instance 2 has its own unrelated DBA database with TDE certs and keys. TDE is not enabled on DBA2 after restore.
So it seems like:
- the instance 1 DBA key got carried over into DBA2 in step 3, and
- the restore may have used the DBA key from instance 2 in step 6, even though instance 1's DBA and instance2's DBA are separate entities.
Here is the encryption status on these databases:
SELECT db_name(database_id), encryption_state, percent_complete, key_algorithm, key_length
FROM sys.dm_database_encryption_keys
where db_name(database_id) like 'DBA%'
Instance 1:
dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
DBA2 3 0 AES 256
Instance 2:
dbname encryption_state percent_complete key_algorithm key_length
DBA 3 0 AES 256
sql-server transparent-data-encryption
sql-server transparent-data-encryption
asked 8 hours ago
BrianCBrianC
165 bronze badges
asked 8 hours ago
BrianCBrianC
165 bronze badges
edited 6 hours ago
BrianC
asked 8 hours ago
BrianCBrianC
165 bronze badges
asked 8 hours ago
BrianCBrianC
165 bronze badges
asked 8 hours ago
BrianCBrianC
165 bronze badges
165 bronze badges
migrated from stackoverflow.com 7 hours ago
This question came from our site for professional and enthusiast programmers.
migrated from stackoverflow.com 7 hours ago
This question came from our site for professional and enthusiast programmers.
migrated from stackoverflow.com 7 hours ago
This question came from our site for professional and enthusiast programmers.
If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?
– Ben Thul
3 hours ago
I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...
– BrianC
2 hours ago
add a comment |
If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?
– Ben Thul
3 hours ago
I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...
– BrianC
2 hours ago
If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?
– Ben Thul
3 hours ago
If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?
– Ben Thul
3 hours ago
I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...
– BrianC
2 hours ago
I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...
– BrianC
2 hours ago
add a comment |
2 Answers
2
active
oldest
votes
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
There is an entire Docs article on this. Let us know if you have specific questions.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.
I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.
Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.
answered 5 hours ago
Sean GallardySean Gallardy
19.2k2 gold badges29 silver badges56 bronze badges
Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.
– BradC
5 hours ago
Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.
– BrianC
5 hours ago
@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.
– BradC
5 hours ago
@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.
– Sean Gallardy
4 hours ago
@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.
– Sean Gallardy
4 hours ago
add a comment |
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.
In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.
It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).
Some useful queries:
SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'
Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.
SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;
Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).
answered 5 hours ago
BradCBradC
6,7226 gold badges34 silver badges68 bronze badges
The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.
– BrianC
5 hours ago
@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?
– BradC
5 hours ago
Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...
– BrianC
4 hours ago
According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')
– BrianC
4 hours ago
@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.
– Sean Gallardy
4 hours ago
|
show 1 more comment
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "182"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f245807%2fturn-tde-off-when-restoring-sql-databases%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
There is an entire Docs article on this. Let us know if you have specific questions.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.
I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.
Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.
answered 5 hours ago
Sean GallardySean Gallardy
19.2k2 gold badges29 silver badges56 bronze badges
Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.
– BradC
5 hours ago
Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.
– BrianC
5 hours ago
@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.
– BradC
5 hours ago
@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.
– Sean Gallardy
4 hours ago
@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.
– Sean Gallardy
4 hours ago
add a comment |
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
There is an entire Docs article on this. Let us know if you have specific questions.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.
I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.
Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.
answered 5 hours ago
Sean GallardySean Gallardy
19.2k2 gold badges29 silver badges56 bronze badges
Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.
– BradC
5 hours ago
Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.
– BrianC
5 hours ago
@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.
– BradC
5 hours ago
@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.
– Sean Gallardy
4 hours ago
@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.
– Sean Gallardy
4 hours ago
add a comment |
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
There is an entire Docs article on this. Let us know if you have specific questions.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.
I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.
Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.
answered 5 hours ago
Sean GallardySean Gallardy
19.2k2 gold badges29 silver badges56 bronze badges
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
There is an entire Docs article on this. Let us know if you have specific questions.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
You'll see, in the article above, that yes you won't be able to read the database unless the server certificate which is protecting the database encryption key (DKE) which resides in that database has been restored and available on the destination server.
I am wondering if turning TDE off and on (which would take hours) would be a requirement in this situation.
If the customer can't use TDE, then it's a requirement (Non-Enterprise Editions). If you don't want to send them your internal certificate, then once restored to the destination server, rotate the server certificate to a new one. It won't require any extra operations (apart from metadata changes) on the database. you could then send the customer the cert + the database, in two separate communications channels or a secure channel, of course.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key.
Huh? Your output doesn't show anything but the encryption state of the database. You quite literally can't restore the database without the server certificate. So if it let you restore the database without any issue and you didn't restore a server certificate for it, then the logical conclusion is that the current server certificate is the same on the source and destination server, which is a security no-no.
answered 5 hours ago
Sean GallardySean Gallardy
19.2k2 gold badges29 silver badges56 bronze badges
answered 5 hours ago
Sean GallardySean Gallardy
19.2k2 gold badges29 silver badges56 bronze badges
answered 5 hours ago
Sean GallardySean Gallardy
19.2k2 gold badges29 silver badges56 bronze badges
answered 5 hours ago
Sean GallardySean Gallardy
19.2k2 gold badges29 silver badges56 bronze badges
19.2k2 gold badges29 silver badges56 bronze badges
Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.
– BradC
5 hours ago
Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.
– BrianC
5 hours ago
@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.
– BradC
5 hours ago
@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.
– Sean Gallardy
4 hours ago
@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.
– Sean Gallardy
4 hours ago
add a comment |
Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.
– BradC
5 hours ago
Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.
– BrianC
5 hours ago
@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.
– BradC
5 hours ago
@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.
– Sean Gallardy
4 hours ago
@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.
– Sean Gallardy
4 hours ago
Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.
– BradC
5 hours ago
Not sure having the same cert in multiple environments is a "security no-no" as much as it is a security consideration. In our environment that simply means our QA environment has to be treated with prod-level security guidelines.
– BradC
5 hours ago
Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.
– BrianC
5 hours ago
Although the article has valid points, it seems to reference moving the database by detach / attach. That isn't something we'd be doing in our Prod environment. I was asking more in terms of refreshing environments from Prod. And since in my test the two servers were from the same environment, the cert and key setup were exactly the same. That probably explains why the DBA / DBA2 database in instance 1 and 2 seemed to be able to use the same key and cert.
– BrianC
5 hours ago
@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.
– BradC
5 hours ago
@BrianC Yeah, there is zero reason to do detach/attach, backup and restore will work fine. But the cert/key backup/restore code in that article looks accurate. That must be why your restore worked fine; the cert had already been restored to the other environment.
– BradC
5 hours ago
@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.
– Sean Gallardy
4 hours ago
@BradC No, it's a security no-no. Treating QA like prod and it being prod are two different things.
– Sean Gallardy
4 hours ago
@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.
– Sean Gallardy
4 hours ago
@BrianC It doesn't matter if it's a backup/restore, attach/detach, log shipping, mirroring, availaiblity group, the certificate needs to be there. Again, it's the same cert so nothing magically went with it, as I've stated.
– Sean Gallardy
4 hours ago
add a comment |
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.
In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.
It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).
Some useful queries:
SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'
Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.
SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;
Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).
answered 5 hours ago
BradCBradC
6,7226 gold badges34 silver badges68 bronze badges
The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.
– BrianC
5 hours ago
@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?
– BradC
5 hours ago
Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...
– BrianC
4 hours ago
According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')
– BrianC
4 hours ago
@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.
– Sean Gallardy
4 hours ago
|
show 1 more comment
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.
In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.
It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).
Some useful queries:
SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'
Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.
SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;
Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).
answered 5 hours ago
BradCBradC
6,7226 gold badges34 silver badges68 bronze badges
The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.
– BrianC
5 hours ago
@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?
– BradC
5 hours ago
Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...
– BrianC
4 hours ago
According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')
– BrianC
4 hours ago
@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.
– Sean Gallardy
4 hours ago
|
show 1 more comment
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.
In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.
It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).
Some useful queries:
SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'
Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.
SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;
Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).
answered 5 hours ago
BradCBradC
6,7226 gold badges34 silver badges68 bronze badges
But specifically, I am wondering how to restore from a TDE enabled prod environment to a TDE enabled non-prod environment.
Just restore the backed up TDE certificate (using the key and password) to the non-prod SQL server, then you can restore encrypted databases back and forth between the two environments.
In our environment, we create a certificate for each application, not for each server. This also means that multiple databases on the same server might be using different certs, if they are part of different applications.
It also means that our QA and DEV environments for these applications have to be locked down as hard as our prod environment, from a security perspective. If your security policies don't allow that, then yes, you'll have to restore a copy of the database to an intermediate server (or restore a copy on prod) to remove TDE.
Once a TDE database is restored over without TDE being turned off, is it using the source server's keys going forward?
When you restore the certificate using the exported key and password, you are using the same certificate, but you are attaching it to the new server's masterkey, so it is using the original cert, but not the source server's "key", per se.
Also note the strange behavior when I restored below. It appeared that it is carrying a historical key through a previous incarnation of the database, and when copying to a server with the same database name, is allowing the second server's key. It this correct?
No, that's not possible. Either someone removed TDE before restoring it to the second server, or the second instance has a previously restored copy of the same TDE certificate (by thumbprint, not by name).
Some useful queries:
SELECT name, issuer_name, subject, thumbprint
FROM master.sys.certificates
WHERE pvt_key_encryption_type = 'MK'
Lists all TDE certs on the instance (or, at least all the ones encrypted by the master key, which is the recommended technique). The "thumbprint" is the column that matters, if you want to compare your certs between servers.
SELECT d.name as dbname, d.is_encrypted,
CASE k.encryption_state
WHEN 0 THEN 'NoKey'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryping...'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'KeyChange...'
WHEN 5 THEN 'Decrypting...'
WHEN 6 THEN 'ProtectionChange...'
END as state_desc,
k.percent_complete, CONCAT(k.key_algorithm, '-', k.key_length) as key_type,
c.name as certname
FROM sys.databases d
LEFT OUTER JOIN sys.dm_database_encryption_keys k ON d.database_id = k.database_id
LEFT OUTER JOIN sys.certificates c ON k.encryptor_thumbprint = c.thumbprint
ORDER BY k.encryption_state DESC, d.name;
Show all databases on the server, their encryption state, and the encryption key they are associated with (based on thumbprint, not name).
answered 5 hours ago
BradCBradC
6,7226 gold badges34 silver badges68 bronze badges
edited 5 hours ago
answered 5 hours ago
BradCBradC
6,7226 gold badges34 silver badges68 bronze badges
answered 5 hours ago
BradCBradC
6,7226 gold badges34 silver badges68 bronze badges
answered 5 hours ago
BradCBradC
6,7226 gold badges34 silver badges68 bronze badges
6,7226 gold badges34 silver badges68 bronze badges
The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.
– BrianC
5 hours ago
@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?
– BradC
5 hours ago
Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...
– BrianC
4 hours ago
According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')
– BrianC
4 hours ago
@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.
– Sean Gallardy
4 hours ago
|
show 1 more comment
The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.
– BrianC
5 hours ago
@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?
– BradC
5 hours ago
Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...
– BrianC
4 hours ago
According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')
– BrianC
4 hours ago
@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.
– Sean Gallardy
4 hours ago
The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.
– BrianC
5 hours ago
The DBA2 database is likely carrying forward the cert from DBA on instance 1, and when the restore happenned it probably succeeded since instance 1 and 2 are part of the same 'environment', and thus use identical cert configuration. That's my best theory anyway. Running the TDE cert query shows one single cert in instance 1 (as we will likely not be able to share certs by application all the way up the environment hierarchy. Instance 2 has its own cert from the initial setup plus a second cert I created for the purposes of the restore from instance 1.
– BrianC
5 hours ago
@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?
– BradC
5 hours ago
@BrianC So, you did create a cert prior to restoring the encrypted db? From scratch? Or via restoring the cert/key pair exported from the other instance?
– BradC
5 hours ago
Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...
– BrianC
4 hours ago
Correct, but I don't know if I did it right. On the destination server I created a cert just for a restore: name issuer_name subject thumbprint TDECert TDE Certificate TDE Certificate 0x52.... TDECertRestore TDE Certificate TDE Certificate 0x87...
– BrianC
4 hours ago
According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')
– BrianC
4 hours ago
According to my documentation, this was the cert creation code: It was created to restore a specific TDETest database as part the initial test: CREATE CERTIFICATE TDECertRestore_[database] FROM FILE = '[some path]certificate_TDETest_Certificate.cer' WITH PRIVATE KEY (FILE = '[some path]certificate_TDETest_Key.pvk', DECRYPTION BY PASSWORD = '[source cert password]')
– BrianC
4 hours ago
@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.
– Sean Gallardy
4 hours ago
@BrianC Ther server cert is not contained in the user database but in the master database so there is literally no way a user database is carrying it around to each instance to make it automagically work.
– Sean Gallardy
4 hours ago
|
show 1 more comment
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f245807%2fturn-tde-off-when-restoring-sql-databases%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If you add encryptor_thumbprint and encryptor_type to your query, what does it tell you?
– Ben Thul
3 hours ago
I can get encryptor_thumbprint but because it is on SQL 2008 R2 (under ultra-extended paid support), encryptor_type isn't available. On the destination server, the DBA2 database is using the other cert created from the copied file as per another comment in one of the answers below: (No column name) encryption_state percent_complete key_algorithm key_length encryptor_thumbprint DBA 3 0 AES 256 0x52... DBA2 3 0 AES 256 0x87...
– BrianC
2 hours ago