If you don't do that, when you fail over, the new primary server's key won't fit in the lock and you'll have to open it with a key you have (i.e. To make a physical lock analogy, you're putting a lock on the DMK's private key and making sure that all of the servers have a copy of the same key. One caveat specific to DMKs and Availability Groups is that if you have a user database that's in an AG that has a DMK, you'll want the SMK to be the same across all of the servers in the AG. So long as you have a backup of the certificate that includes both the public and private key portions, you can restore that to any server you want and encrypt the private key portion with the target server's master database DMK and you should be g2g. This allows SQL to open the certificate without user intervention which in turn allows your database to start without user intervention. And the master database's DMK is encrypted by the SMK. In the case of TDE, the master database's DMK encrypts the private key portion of the TDE certificate. The longer answer is each of the SMK and DMK are designed to encrypt something in the encryption hierarchy. The short answer: you don't need to back up the DMK or SMK from the source server in order to be able to restore your database the certificate is sufficient. Then the next steps are simply restoring the certificate form the source server and then restore the database? If I create a database master key (do I need to restore form the backup of source) On a test server if a service master key already exists from SQL installation. Why in the article below did they not restore SMK and DMK? Will I need the same SMK and DMK from sources server to restore the database backup on a test/DR server? Why do we need to take backups of SMK and DMK? Just the certificate backup file. I have found that we can take backups of Service Master Key(SMK) and Database Master Key (DMK) as well. When I need to restore this TDE enabled database on DR/Test serverĬreate the certificate form the backup of the source server On Source Server: Service master key already existsĬreate database encryption key on the user database and enable TDE on this databaseīackup certificate (.cer) with private key(.pvk) with password I am trying to implement TDE by following the below steps
0 Comments
Leave a Reply. |