SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL AlwaysOn Availability Group - Secondary can not decrypt database master key (DMK)


SQL AlwaysOn Availability Group - Secondary can not decrypt database master key (DMK)

Author
Message
Gamleur84
Gamleur84
SSC-Addicted
SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)

Group: General Forum Members
Points: 407 Visits: 153
I have an encrypted database in SQL AlwaysOn availability group. This issue is pretty simple, I have the following error when the database fails over: Please create a master key in the database or open the master key in the session before performing this operation.

I have been reading a lot about encryption, but I can get it straight. I understand the secondary server is not able to decrypt the data, but I can't find the solution. My temporary solution is to add the service key to the database master key:

OPEN MASTER KEY DECRYPTION BY PASSWORD = ‘<enter the password>’  
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY


All my research leads me to a backup/restore of certificates for TDE, but in my case I am not using TDE, but instead have a table inside the database that is encrypted using a symmetric key protected by a certificate. Those certificates are in the user database rather than master database. I can find 2 certificates when I run the following command:


USE MYDATABASE
SELECT name, subject, start_date, expiry_date
FROM sys.certificates


I have 3 symmetric keys when I run the following command. One for each certificate and one DMK.

USE MYDATABASE
SELECT name, key_length, algorithm_desc, create_date, modify_date
FROM sys.symmetric_keys;


So it seems that my issue is the service key cannot decrypt the DMK on the secondary. How can I fix that ?


Thank you
Steve Jones
Steve Jones
SSC Guru
SSC Guru (351K reputation)SSC Guru (351K reputation)SSC Guru (351K reputation)SSC Guru (351K reputation)SSC Guru (351K reputation)SSC Guru (351K reputation)SSC Guru (351K reputation)SSC Guru (351K reputation)

Group: Administrators
Points: 351192 Visits: 20201
Hmmm, this is tricky. How did you set this up? I suspect that you really needed to restore the SMK from the primary onto the secondaries and then setup the restore.

You're not adding the SMK (Service Master Key) to the DMK (database master key), what you're doing is adding your DMK in the user db to the hierarchy on the secondary that allows the SMK to encrypt the DMK (and decrypt it). What you're running is what is needed. I haven't thought about this from the AG perspective, but really you do need a job that runs this in case something changes, but if you had the same SMK on both instances, then I think this might work.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Gamleur84
Gamleur84
SSC-Addicted
SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)

Group: General Forum Members
Points: 407 Visits: 153
Hi Steve,

You are right, I took a backup of the Service Master Key and restore it on the secondaries and it worked !

Thank you
Perry Whittle
Perry Whittle
SSC Guru
SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)

Group: General Forum Members
Points: 146812 Visits: 18282
Gamleur84 - Wednesday, January 17, 2018 11:37 AM
I have an encrypted database in SQL AlwaysOn availability group. This issue is pretty simple, I have the following error when the database fails over: Please create a master key in the database or open the master key in the session before performing this operation.

I have been reading a lot about encryption, but I can get it straight. I understand the secondary server is not able to decrypt the data, but I can't find the solution. My temporary solution is to add the service key to the database master key:

OPEN MASTER KEY DECRYPTION BY PASSWORD = ‘<enter the password>’  
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY


All my research leads me to a backup/restore of certificates for TDE, but in my case I am not using TDE, but instead have a table inside the database that is encrypted using a symmetric key protected by a certificate. Those certificates are in the user database rather than master database. I can find 2 certificates when I run the following command:


USE MYDATABASE
SELECT name, subject, start_date, expiry_date
FROM sys.certificates


I have 3 symmetric keys when I run the following command. One for each certificate and one DMK.

USE MYDATABASE
SELECT name, key_length, algorithm_desc, create_date, modify_date
FROM sys.symmetric_keys;


So it seems that my issue is the service key cannot decrypt the DMK on the secondary. How can I fix that ?


Thank you

You get a similar issue when you put SSISDB into an AG, the key needs to be stored locally so that it can be accessed.
Create a credential to store the DMK using the stored procedure

sp_control_dbmasterkey_password 




Steve Jones - SSC Editor - Wednesday, January 17, 2018 11:47 AM
Hmmm, this is tricky. How did you set this up? I suspect that you really needed to restore the SMK from the primary onto the secondaries and then setup the restore.

You're not adding the SMK (Service Master Key) to the DMK (database master key), what you're doing is adding your DMK in the user db to the hierarchy on the secondary that allows the SMK to encrypt the DMK (and decrypt it). What you're running is what is needed. I haven't thought about this from the AG perspective, but really you do need a job that runs this in case something changes, but if you had the same SMK on both instances, then I think this might work.

No, you don't need to restore the SMK

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
alen teplitsky
alen teplitsky
SSCoach
SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)

Group: General Forum Members
Points: 17393 Visits: 4794
Gamleur84 - Thursday, January 18, 2018 9:48 AM
Hi Steve,

You are right, I took a backup of the Service Master Key and restore it on the secondaries and it worked !

Thank you

Did it break access to existing data?

Gamleur84
Gamleur84
SSC-Addicted
SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)SSC-Addicted (407 reputation)

Group: General Forum Members
Points: 407 Visits: 153
Thanks Perry Whittle, you solution is much better !
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search