Automate Encryption Key opening in HA environment

Question

Post reply

Automate Encryption Key opening in HA environment

juniorDBA13

Ten Centuries

Points: 1049
More actions
June 20, 2017 at 5:08 am

#324117

Hi,
Currently have a database setup in HA.
Whenever a fail over occurs we need to run the below on the new primary in order to open encryption key.
OPEN MASTER KEY DECRYPTION BY PASSWORD and ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
Does anyone know a way to automate this or for it to happen automatically when a fail over occurs?

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Perry Whittle SSC Guru Points: 233846 More actions · Answer 1

can you detail a little more about your ha environment please

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" 😉

juniorDBA13 Ten Centuries Points: 1049 More actions · Answer 2

3 Servers.
Server 1 and 2 synchronous commit with automatic fail over.
Server 3, asynchronous with manual fail over.

I can run a job that checks which server is primary and it run the commands if its primary.

Just wondering is it possible for HA to pick this up and open encryption key?

Beatrix Kiddo SSC-Dedicated Points: 32407 More actions · Answer 3

What is "HA" in this scenario? It could be a number of things (FCI, AlwaysOn Availability Groups, etc.)

Perry Whittle SSC Guru Points: 233846 More actions · Answer 4

juniorDBA13 - Tuesday, June 20, 2017 5:52 AM
3 Servers.
Server 1 and 2 synchronous commit with automatic fail over.
Server 3, asynchronous with manual fail over.
I can run a job that checks which server is primary and it run the commands if its primary.
Just wondering is it possible for HA to pick this up and open encryption key?

You shouldnt need to open the database master key if its encrypted by the service master key.

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" 😉

alen teplitsky SSC-Dedicated Points: 30014 More actions · Answer 5

having the same problem now

you can set up a sql job on both ends to run OPEN MASTER KEY DECRYPTION BY PASSWORD and ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY if the replica is primary. Just have the jobs execute every few minutes and write code to check for replica status. problem is the password is going to be in the job text in the open.