Sql-server – TDE cannot encrypt database

sql serversql-server-2008-r2transparent-data-encryption

In order to encrypt a SQL db, I run the following commands:

CREATE CERTIFICATE <certname> ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>'
WITH SUBJECT = 'certificate subject', EXPIRY_DATE = '20291031';
go

USE <databasetoencrypt>;
GO

CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE <certname>;
GO

When trying to execute the CREATE DATABASE ENCRYPTION KEY command, I receive this message and don't know what to do:

Cannot use certificate 'name', because its private key is not present or it is not protected by the database master key. SQL Server requires the ability to automatically access the private key of the certificate used for this operation.

When I omit the ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>' during the CREATE CERTIFICATE command, it works. However, I need to create a password protected certificate.

Do you have any idea?! Thank you.

Best Answer

You cannot create a password-protected-certificate, then use that certificate to encrypt a database via TDE since the SQL Server will not be able to open the database.

From Microsoft Docs:

Transparent Data Encryption (TDE) must use a symmetric key called the database encryption key which is protected by either a certificate protected by the database master key of the master database, or by an asymmetric key stored in an EKM.

Steps involved in encrypting a database using TDE:

Create a master key
Create or obtain a certificate protected by the master key
Create a database encryption key and protect it by the certificate
Set the database to use encryption

An example of the above, taken from the Microsoft Docs page on TDE:

USE master;  
GO  
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>';  
go  
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate';  
go  
USE AdventureWorks2012;  
GO  
CREATE DATABASE ENCRYPTION KEY  
WITH ALGORITHM = AES_128  
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;  
GO  
ALTER DATABASE AdventureWorks2012  
SET ENCRYPTION ON;  
GO

That page also says this:

TDE certificates must be encrypted by the database master key to be accepted by the following statements. If they are encrypted by password only, the statements will reject them as encryptors.

    CREATE DATABASE ENCRYPTION KEY
    ALTER DATABASE ENCRYPTION KEY
    DROP DATABASE ENCRYPTION KEY

Altering the certificates to be password-protected after they are used by TDE will cause the database to become inaccessible after a restart.

Related Solutions

Moving TDE Database to New SQL Server – Certificate Problems

You will need to create a master key on the new server - if it does not exit already.

USE MASTER;
GO
if not exists (select 1 from sys.symmetric_keys where name = '##MS_DatabaseMasterKey##')
 CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Strong_Password';

Then you have to restore your certificate:

CREATE CERTIFICATE serverCert  FROM FILE = 'C:\cert_Backups\servercert.cer'     
WITH PRIVATE KEY (FILE = 'C:\cert_Backups\servercert.key'
    ,DECRYPTION BY PASSWORD = 'strong_Passw0rD')
GO

But for this to work you will have to make sure that you made a backup of the original certificate with the private key.

Backup certificate ServerCert 
 to file = 'C:\cert_Backups\servercert.cer'
 with private key (file = 'C:\cert_Backups\servercert.key',
 encryption By Password = 'strong_Passw0rD')
GO

If you only have a cer file and not a key you will need to backup your certificate again

Sql-server – TDE prep: key/certificate backup for restores

If you want to restore on a different server, you should be able to do so with the certificate, private key and database backup file(s).

When a certificate is created in any database in SQL Server, it is part of an encryption hierarchy. The certificate in the master database itself only contains a public key, which needs no protection, however, the master database will also contain a separate but mathematically related private key which does need to be protected. The method of protecting the private key is to encrypt it using the database master key you created in the master database prior to creating the certificate. The next layer in the encryption hierarchy is that the DMK is encrypted by the service master key. There is only one SMK on the system and it is in the master database.

Even though you don't need the DMK and SMK to restore an encrypted backup to another server, I would back up these two keys anyway as it makes recovery much more flexible.

When you restore the backup encryption certificate to the master database, what happens behind the scenes is that the private key is read from the file, decrypted using the password you provide in the restore command, then encrypted using the database master key and saved. As you know, the private key from the certificate can then be used to decrypt the Database Encryption Key in the backup file and successfully restore the database.

I don't have a specific recommendation for storing the certificate and key backup files, but they do need to be available to you and whoever does the disaster recovery in your organization.

Best Answer

Related Solutions

Moving TDE Database to New SQL Server – Certificate Problems

Sql-server – TDE prep: key/certificate backup for restores

Related Question