Sql-server – Restoring MS SQL TDE database question

sql servertransparent-data-encryption

I'm new to SQL Server TDE and have a question.

I have two VM's (VM1 = Source and VM2 = Target). On the source machine, I executed all the required steps to enable my Test database as well as backing up the certificate and private key. No issues here.

On the target machine, i executed the following t-sql commands

CREATE MASTER KEY ENCRYPTION

CREATE CERTIFICATE
FROM FILE
WITH PRIVATE KEY(
FILE
DECRYPTION BY PASSWORD
);

without any issue and successfully restored my Test TDE database.

On the source machine, I had to run this command

CREATE DATABASE ENCRYPTION KEY

but I didn't have to when I did the restore on the target machine. Here's my question: Is my Test database on the target machine TDE enabled?

Best Answer

When you say:

On the source machine, I executed all the required steps to enable my Test database as well as backing up the certificate and private key. No issues here.

We don't really know the steps you took.

Here is a query you can run to see if the database is encrypted on the target server. Look at the EncryptionState column.

SELECT 
    db_name(database_id) as DatabaseName, 
    Case 
        when encryption_state=0 then 'No Database Encryption'
        when encryption_state=1 then 'Unencrypted'
        when encryption_state=2 then 'Encryption In Progress'
        when encryption_state=3 then 'Encrypted'
        when encryption_state=4 then 'Key Change In Progress'
        when encryption_state=5 then 'Decryption In Progress'
        when encryption_state=6 then 'Protection Changes In Progress'
    end as EncryptionState,
    percent_complete
FROM sys.dm_database_encryption_keys

Related Solutions

Sql-server – Enable TDE for existing AlwaysOn databases

In the absence of any other input, here's what I was able to deduce. Short story: this appears to work fine.

As far as I can see, enabling TDE for a database is a logged operation, but the actual data encryption is not logged (otherwise the transaction log would grow considerably, which it doesn't). I assume there's something like the differential change map, or a flag in the page headers to indicate if a page is encrypted or not, and the storage engine just chews through everything until it's fully encrypted.

When I enable TDE at the primary database, the secondary database ends up encrypted too (I have verified this with a hex editor). While encrypting is in progress, the view sys.dm_database_encryption_keys indicates percent_complete for all the secondary servers is 0, and this value never increases. The primary server updates this column normally. All the replicas tend to finish encrypting at their own pace, at which point encryption_state changes to 3. Seems like everything works normally once it's finished.

Moving TDE Database to New SQL Server – Certificate Problems

You will need to create a master key on the new server - if it does not exit already.

USE MASTER;
GO
if not exists (select 1 from sys.symmetric_keys where name = '##MS_DatabaseMasterKey##')
 CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Strong_Password';

Then you have to restore your certificate:

CREATE CERTIFICATE serverCert  FROM FILE = 'C:\cert_Backups\servercert.cer'     
WITH PRIVATE KEY (FILE = 'C:\cert_Backups\servercert.key'
    ,DECRYPTION BY PASSWORD = 'strong_Passw0rD')
GO

But for this to work you will have to make sure that you made a backup of the original certificate with the private key.

Backup certificate ServerCert 
 to file = 'C:\cert_Backups\servercert.cer'
 with private key (file = 'C:\cert_Backups\servercert.key',
 encryption By Password = 'strong_Passw0rD')
GO

If you only have a cer file and not a key you will need to backup your certificate again

Best Answer

Related Solutions

Sql-server – Enable TDE for existing AlwaysOn databases

Moving TDE Database to New SQL Server – Certificate Problems

Related Question