Sql-server – How to restore TDE encrypted DB on AWS (with certificate not stored in master)

amazon-rdssql servertransparent-data-encryption

The way Amazon RDS enable TDE feature is to generate a certificate stored in master. However, I need to restore a database that is encrypted by another certificate.

I have the cert file, private key file and password.
But I can only create a certificate with files and password in ANY OTHER DATABASE EXCEPT MASTER.

Could you please give me some advice on how to restore TDE encrypted DB with certificate not stored in master? Or is there a method to to back up certificate at master in Amazon RDS?
Thanks in Advance!

Best Answer

This is a bit of a gap with RDS. Apparently the advice is to remove TDE on the source DB then back it up so that it can be restored to RDS.

This is a pretty poor scenario in my opinion - switching on and off TDE should not be taken lightly. I really hope that AWS enable some functionality to backup/restore certificates for TDE

Related Solutions

SQL Server Encryption – Recovering Lost DMK Password for Master Database

My company has TDE encryption enabled for some of our databases. The password that the master key was encrypted by for one of our servers is lost. We do have the backup .key file, however, the password it was encrypted with is lost too.

We also have the certificate backed up, but those passwords are lost as well.

So you know the backup cert/DMK files are now useless. I would IMMEDIATELY take new backups and save the passwords. This way you can restore older backup files should anything happen. I would also backup the SMK as that's the only means you have to decrypting the DMK/Cert at this moment.

The original backup files (master key, cert) are still in existence and those encryption passwords are available for previous servers these DBs lived on.

I'm assuming the keys haven't been rotated per your comment. If this is the case you are most likely able to restore these to a test server and restore your TDE enabled databases to said test server without issue. If this is the case, you could re-use these keys assuming nothing else is relying on the DMK/Cert in your current instance.

Since TDE works through the SMK (and not by passwords) you're currently "at risk". Sure, it's running but who knows when or if something will happen. I stated before, take new backups.

The most straight forward approach would be to remove TDE from the databases on that instance, remove the cert, and remove the DMK (After backing them up first). Then proceed to create the DMK/Cert/TDE enabled. It's going to be disk and cpu intensive for a bit (depending on the size of database and hardware/disk/etc). Backup the new DMK/Cert with a guarded password.

SQL Server – Restore Database with Encrypted Column Without Overwriting Service Master Key

Server1 running SQL Server 2012 with Service Master Key A, db1 with Database Master Key 1, symmetric key and certificate available.

I assume that the db1 master key is encrypted with the SMK. This makes everything encrypted by the database master key 'available' to applications, w/o having to explicitly open the database master key.

What you need to do is to restore the database, open the database master key using the DBMK password and then add the Server 2 SMK encryption to the DBMK:

RESTORE DATABESE ... FROM ...;
USE ...;
OPEN MASTER KEY DECRYPTION BY PASSWORD = ...;
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY;

Best Answer

Related Solutions

SQL Server Encryption – Recovering Lost DMK Password for Master Database

SQL Server – Restore Database with Encrypted Column Without Overwriting Service Master Key

Related Question