SQL Server – Fixing ‘File is Not Valid or Does Not Exist’ Error on Reimport

sql serversql-server-2012transparent-data-encryption

We all know that the error "file is not valid or does not exist; or you do not have permissions for it" nearly always means one of two things:

There's a typo in the path or filename
The service account running SQL Server does not have permissions on the directory or file(s)

However, I am getting this error in a situation where neither of these usual causes is possible. To confirm what I'm seeing, I distilled the situation down into an example where I export a certificate from SQL Server, and then immediately try to reimport the exact same certificate from the same location. This generates the given error for reasons that have me stumped.

Because SQL Server can write out the files, we know it has permissions to the directory and the files. (And yes, I already checked that we don't have a bizarre permission scenario where the account has write permissions only but not read permissions.) And we know that there are no typos in the path or filename, because they are literally copy-pasted character-for-character from the lines just above.

Here is the SQL used to generate this example. I will also upload a screen capture of the output. I could sure use any help– I'm completely stumped at this point.

    -- make a cert, export it, and drop it
CREATE CERTIFICATE CertForTDE WITH SUBJECT='CertForExport';
GO

BACKUP CERTIFICATE CertForTDE
TO FILE = 'E:\Output\SelfSignedTdeCert.cer'
WITH PRIVATE KEY (
    FILE='E:\Output\SelfSignedTdeCert.pvk', 
    ENCRYPTION BY PASSWORD='ABCDabcd1234!@#$'
);
GO

DROP CERTIFICATE CertForTDE;
GO

-- attempt to reimport from same location causes "file is not valid or does not exist"!
CREATE CERTIFICATE CertForTDE
FROM FILE = 'E:\Output\SelfSignedTdeCert.cer'
WITH PRIVATE KEY (
    FILE='E:\Output\SelfSignedTdeCert.pvk', 
    ENCRYPTION BY PASSWORD='ABCDabcd1234!@#$'
);
GO

Best Answer

You didn't decrypt the key file. This

CREATE CERTIFICATE CertForTDE
FROM FILE = 'E:\Output\SelfSignedTdeCert.cer'
WITH PRIVATE KEY (
    FILE='E:\Output\SelfSignedTdeCert.pvk', 
    ENCRYPTION BY PASSWORD='ABCDabcd1234!@#$'
);

Should be

CREATE CERTIFICATE CertForTDE
FROM FILE = 'c:\temp\SelfSignedTdeCert.cer'
WITH PRIVATE KEY (
    FILE='c:\temp\SelfSignedTdeCert.pvk', 
    DECRYPTION BY PASSWORD='ABCDabcd1234!@#$'
);

Here's a complete repro:

use master
go
drop database certtest
go
create database certtest

go
use certtest
go
create master key encryption by password = 'ABCDabcd1234!@#$'
go
CREATE CERTIFICATE CertForTDE WITH SUBJECT='CertForExport';
GO

BACKUP CERTIFICATE CertForTDE
TO FILE = 'c:\temp\SelfSignedTdeCert.cer'
WITH PRIVATE KEY (
    FILE='c:\temp\SelfSignedTdeCert.pvk', 
    ENCRYPTION BY PASSWORD='ABCDabcd1234!@#$'
);
GO

DROP CERTIFICATE CertForTDE;
GO

-- attempt to reimport from same location causes "file is not valid or does not exist"!
CREATE CERTIFICATE CertForTDE
FROM FILE = 'c:\temp\SelfSignedTdeCert.cer'
WITH PRIVATE KEY (
    FILE='c:\temp\SelfSignedTdeCert.pvk', 
    ENCRYPTION BY PASSWORD='ABCDabcd1234!@#$'
);
--Msg 15208, Level 16, State 12, Line 28
--The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it.

GO

-- attempt to reimport from same location causes "file is not valid or does not exist"!
CREATE CERTIFICATE CertForTDE
FROM FILE = 'c:\temp\SelfSignedTdeCert.cer'
WITH PRIVATE KEY (
    FILE='c:\temp\SelfSignedTdeCert.pvk', 
    DECRYPTION BY PASSWORD='ABCDabcd1234!@#$'
);
--succeeds

Related Solutions

Sql-server – TDE prep: key/certificate backup for restores

If you want to restore on a different server, you should be able to do so with the certificate, private key and database backup file(s).

When a certificate is created in any database in SQL Server, it is part of an encryption hierarchy. The certificate in the master database itself only contains a public key, which needs no protection, however, the master database will also contain a separate but mathematically related private key which does need to be protected. The method of protecting the private key is to encrypt it using the database master key you created in the master database prior to creating the certificate. The next layer in the encryption hierarchy is that the DMK is encrypted by the service master key. There is only one SMK on the system and it is in the master database.

Even though you don't need the DMK and SMK to restore an encrypted backup to another server, I would back up these two keys anyway as it makes recovery much more flexible.

When you restore the backup encryption certificate to the master database, what happens behind the scenes is that the private key is read from the file, decrypted using the password you provide in the restore command, then encrypted using the database master key and saved. As you know, the private key from the certificate can then be used to decrypt the Database Encryption Key in the backup file and successfully restore the database.

I don't have a specific recommendation for storing the certificate and key backup files, but they do need to be available to you and whoever does the disaster recovery in your organization.

Sql-server – What do I need to restore an encrypted MSSQL database

To put it simply, your mistake is in step 5. You need to backup the private key with the certificate. You will need to secure the password so you can use it to restore the certificate on the destination server.

It would be helpful for you to concentrate on learning more about the encryption hierarchy. The private key of the TDE certificate is the only key that can decrypt the database master key, and the DMK is a symmetric key that directly encrypts and decrypts pages in the TDE enabled database.

BACKUP CERTIFICATE mycert TO FILE = 'Path_to_file.cer'  
    WITH PRIVATE KEY ( FILE = 'path_to_file.pvk' ,   
    ENCRYPTION BY PASSWORD = 'password to encrypt the file path_to_file.pvk' );  
GO

Best Answer

Related Solutions

Sql-server – TDE prep: key/certificate backup for restores

Sql-server – What do I need to restore an encrypted MSSQL database

Related Question