Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Steve Jones TDE DR RE: TDE DR

  • July 16, 2013 at 8:54 am

    #1632898

    Steve Jones - SSC Editor (7/12/2013)

    It's worded poorly in BOL.

    Essentially on the source you:

    - create master key (protected by SMK) in master.

    - create cert, protected by DMK (master key).

    - you backup the cert, decrypting it using the password from the previous step, and assign a (new hopefully) password to the backup. You do this first. Backup certs/keys before you do anything else!

    - you create a DEK in the db you are encrypting, protected by the cert.

    - you enable TDE

    - you backup the TDE database. The DEK is inside this backup as part of the meta data, but it's encrypted and protected by the cert, which is NOT in the backup.

    On a new instance, say in a DR situation or movement to a new instance.

    - you create a master key if there isn't one. If there is, you just need a password protecting this.

    - you create (from file, as restore) the certificate from the backup above. You need the password protecting the files.

    - Now you restore the TDE database. The cert exists, so the instance uses this to decrypt the DEK in the database, subsequently decrypting the data when requested by the new instance.

    I wish I could read this post before I tried to reply. I spent over 40 minutes checking BoL...