In order to encrypt a SQL db, I run the following commands:
CREATE CERTIFICATE <certname> ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>'
WITH SUBJECT = 'certificate subject', EXPIRY_DATE = '20291031';
go
USE <databasetoencrypt>;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE <certname>;
GO
When trying to execute the CREATE DATABASE ENCRYPTION KEY
command, I receive this message and don't know what to do:
Cannot use certificate 'name', because its private key is not present or it is not protected by the database master key. SQL Server requires the ability to automatically access the private key of the certificate used for this operation.
When I omit the ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>'
during the CREATE CERTIFICATE
command, it works. However, I need to create a password protected certificate.
Do you have any idea?! Thank you.
Best Answer
You cannot create a password-protected-certificate, then use that certificate to encrypt a database via TDE since the SQL Server will not be able to open the database.
From Microsoft Docs:
Steps involved in encrypting a database using TDE:
Create a master key
Create or obtain a certificate protected by the master key
Create a database encryption key and protect it by the certificate
Set the database to use encryption
An example of the above, taken from the Microsoft Docs page on TDE:
That page also says this: