Sql-server – Restore SQL Server DB encrypted by EKM – where’s the asymmetric key

MS is clear about restoring TDE backups: Certificate has to be restored on destination OR, in case of EKM, the asymmetric key

"
When moving a TDE protected database, you must also move the certificate or [[asymmetric key]] that is used to open the DEK. The certificate or asymmetric key must be installed in the master database of the destination server, so that SQL Server can access the database files
"

Now, there is no asymmetric backup built-in SQL Server. We might assume that the EK can export it or so?? we can restore Asym keys created as strong name files but the create statement of Asym key with EKM does not look to support a source file

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE

FROM Provider [SafeNetLunaHSM]

WITH ALGORITHM = RSA_2048,

PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',

CREATION_DISPOSITION=CREATE_NEW

I am using Safenet Luna HSM. Has anyone been in a similar situation? simply restoring a TDE backup from EKM source to Native TDE destination.

Appreciate the help

Best Answer

If you're using an HSM, there would be no point to export the key in a situation like this. The main point of an HSM is to keep the keys safe, among various other things - so you really don't want to export the key.

First, I'm going to assume that on the server you want to restore this database to you've created the credential used to access the HSM and I'm going to assume you've allowed the addresses of the new server to talk to the HSM, and all of the other assumptions such as load the EKM DLL, etc. In that case, rather than specifying CREATION_DISPOSITION = CREATE_NEW you'll want to use CREATION_DISPOSITION = OPEN_EXISTING which is part of the CREATE ASYMMETRIC KEY T-SQL.

Best Answer

Related Solutions

Sql-server – How to backup/restore database encryption key in order to restore on new server

SQL Server – Restore Database with Encrypted Column Without Overwriting Service Master Key

Related Question