As it is said here it is a good practice to backup the database master key, because when the database is moved to another instance it will need the original DMK that has been used to protect the certificates in order to skip regeneration of the encrypted stuff.
In the context of database backup encryption, when the DMK is stored in the master database with the rest of the certificates used for backup encryption, do we need to create a backup of the DMK?
Also, I am wondering, as it said that
When it is created, the master key is encrypted by using the AES_256
algorithm and a user-supplied password.
Does this mean, that if I used same password to create and protect each DMK in my master databases across all instances, the key will be the same?
If not, it is OK to create a DMK on one database, and to restore it on all instances in order to have the same key everywhere and to need make a backup of only one key?
Best Answer
That answer isn't factually correct. When the database is migrated, the DMK was encrypted with the old SMK and the password. You can open the DMK with the password on the new instance and add decryption by the new SMK. This doesn't require that you decrypt and encrypt the securables protected by the DMK again, since the actual DMK key didn't change - just what is protecting it.
Depends but most likely you won't directly need it unless there is something really, really bad that happens. Then you'll need to restore the DMK over the other one but that's not ideal, fun, or easy, either. If you have a backup of the master database then it already holds the DMK, additionally you will need a safe place to store the password. Since master is a special database, the use cases of this are much smaller than a user database.
No, there is an initialization vector that is used so the keys won't be the same. It's not based off of the password used.
Definitely not ok. Is it ok to have just one password for everything from your email, online banking, and fantasy football account? Probably not. Probably not good to have a single key that opens your car, front door, mailbox, gate, bank deposit box, etc.