SQL Server – Risks of Setting ‘Encryption Enabled’ to FALSE

log-shippingmigrationsql servertransparent-data-encryption

I'm migrating a database from SQL Server 2012 to SQL Server 2014 on the same server.

I'm configuring LOG SHIPPING on a database that is apparently encrypted:

When setting the log shipping I got this message (when it started to restore the database from a backup):

I'm the new DBA here and there's no report of master keys, encrypted keys etc.

I'm setting log shipping from SQL2012 to SQL2014 (with norecovery). What could go wrong if I set this database to Encryption enabled - false and try to restore the database with the log shipping wizard?

There are some questions about this problem , like This one, but all of them say I need the password.

I Just found this certificate on master > security > certificates on the primary server (2012):

And there are some code samples over the Interet but I really can't trust them (I don't think it's too simple):

`USE MASTER
GO
ALTER DATABASE DatabaseName
SET ENCRYPTION OFF
GO
USE DatabaseName
GO
DROP DATABASE ENCRYPTION KEY
GO`

Edit1:

In this question Dylon says:

If you are receiving the thumbprint error the certificate was not created properly from the Source Server's Cert/Key backups.

I'm confused about this topic and all I want is to disable encryption, restore the database on the other server to log shipping, and some day, activate encryption.

Edit2:

On Database > tasks > manage database encryption there are some options too:

Disabling this, I would be able to backup the database again, and restore it on the new instance?

Best Answer

Do not disable TDE. Besides being a lengthy size-of-data operation, it was established initially for a reason and you may be breaking whatever compliance/operations reason exists for TDE.

Rather set up log shipping properly in the presence of TDE. Follow the steps described in Move a TDE Protected Database to Another SQL Server. You are going to export the TDE certificate from the original server and then import it on the standby server, making sure it is encrypted with the master database master key and the database master master key is in turn encrypted with the service master key. After that, if done correctly, restore operations should succeed as the required TDE certificate is present.

To copy the certificate: The certificate is in the master database of the primary instance. You need to run:

BACKUP CERTIFICATE TDE_CERT 
 TO FILE <where to save cert> 
 WITH PRIVATE KEY (FILE = <where to save private key>, 
  ENCRYPTION BY PASSWORD = <password for the private key file>);

Then copy both cert and private key files to the secondary and restore it in master using:

 CREATE CERTIFICATE TDE_CERT 
  FROM FILE = <your copied cert file> 
  WITH PRIVATE KEY (FILE = <your copied private key file>,
   DECRYPTION BY PASSWORD = <password that protects private key file>);

TDE_CERT in master on the secondary needs to be encrypted with master database master key, which will likely need to be created.

Related Solutions

SQL Server Encryption – Recovering Lost DMK Password for Master Database

My company has TDE encryption enabled for some of our databases. The password that the master key was encrypted by for one of our servers is lost. We do have the backup .key file, however, the password it was encrypted with is lost too.

We also have the certificate backed up, but those passwords are lost as well.

So you know the backup cert/DMK files are now useless. I would IMMEDIATELY take new backups and save the passwords. This way you can restore older backup files should anything happen. I would also backup the SMK as that's the only means you have to decrypting the DMK/Cert at this moment.

The original backup files (master key, cert) are still in existence and those encryption passwords are available for previous servers these DBs lived on.

I'm assuming the keys haven't been rotated per your comment. If this is the case you are most likely able to restore these to a test server and restore your TDE enabled databases to said test server without issue. If this is the case, you could re-use these keys assuming nothing else is relying on the DMK/Cert in your current instance.

Since TDE works through the SMK (and not by passwords) you're currently "at risk". Sure, it's running but who knows when or if something will happen. I stated before, take new backups.

The most straight forward approach would be to remove TDE from the databases on that instance, remove the cert, and remove the DMK (After backing them up first). Then proceed to create the DMK/Cert/TDE enabled. It's going to be disk and cpu intensive for a bit (depending on the size of database and hardware/disk/etc). Backup the new DMK/Cert with a guarded password.

SQL Server – Restore Database with Encrypted Column Without Overwriting Service Master Key

Server1 running SQL Server 2012 with Service Master Key A, db1 with Database Master Key 1, symmetric key and certificate available.

I assume that the db1 master key is encrypted with the SMK. This makes everything encrypted by the database master key 'available' to applications, w/o having to explicitly open the database master key.

What you need to do is to restore the database, open the database master key using the DBMK password and then add the Server 2 SMK encryption to the DBMK:

RESTORE DATABESE ... FROM ...;
USE ...;
OPEN MASTER KEY DECRYPTION BY PASSWORD = ...;
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY;

Best Answer

Related Solutions

SQL Server Encryption – Recovering Lost DMK Password for Master Database

SQL Server – Restore Database with Encrypted Column Without Overwriting Service Master Key

Related Question