SMKs, DMKs, Certificates for TDE and Encrypted Backups

  • Perry Whittle

    SSC Guru

    Points: 233859

    Comments posted to this topic are about the item SMKs, DMKs, Certificates for TDE and Encrypted Backups

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • Wilfred van Dijk

    SSCrazy Eights

    Points: 8969

    Excellent Article!

    In the example for an encrypted backup you refer to [MyNewCert], but the certificate is called [MyServerCert]. (Copy/paste issue I guess 😀 )

    Wilfred
    The best things in life are the simple things

  • jasona.work

    SSC-Forever

    Points: 49988

    So, a question for you:

    Why do you think there are so many recommendations for backing up and restoring the DMK when working with TDE databases?

    If I recall, the MS Technet page on moving TDE databases makes no mention of it, so where did people get the idea it was required?

    I think I may have asked this next question elsewhere, but my mind ain't what it used to be, so...

    What is the purpose served by backing up the the SMK? Are there situations where it would need to be restored to resolve an issue, or is it more a "better safe than sorry" sort of thing?

  • akljfhnlaflkj

    SSC Guru

    Points: 76202

    Wow. This just pointed out to me how little I know about this.

  • Perry Whittle

    SSC Guru

    Points: 233859

    Wilfred van Dijk (12/9/2015)


    Excellent Article!

    In the example for an encrypted backup you refer to [MyNewCert], but the certificate is called [MyServerCert]. (Copy/paste issue I guess 😀 )

    Just testing, well spotted 😉

    jasona.work (12/9/2015)


    So, a question for you:

    Why do you think there are so many recommendations for backing up and restoring the DMK when working with TDE databases?

    Because the people making the recommendations don't understand the DMK or the cert, hence my article. And once more to clarify, you do not need to backup and restore the DMK 😉

    jasona.work (12/9/2015)


    If I recall, the MS Technet page on moving TDE databases makes no mention of it

    The TechNet page is correct in this case (makes a change 😀 ), only the certificate is required.

    jasona.work (12/9/2015)


    What is the purpose served by backing up the the SMK? Are there situations where it would need to be restored to resolve an issue, or is it more a "better safe than sorry" sort of thing?

    The SMK is the encryptor for all instance level encryption such as linked server logins. In event of failure the SMK would be required to decrypt this information.

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • corey lawson

    Hall of Fame

    Points: 3730

    Yeah, you really want to have your SMK and DMK's in more than one place and media. You're SOL w/o a paddle or a canoe, at different levels (SMK vs DMK), if you can't find them when you need them.

  • quackhandle1975

    SSChampion

    Points: 11055

    Great article, this can be a complex area of SQL Server with nasty consequences if you get it wrong.

    qh

    [font="Tahoma"]Who looks outside, dreams; who looks inside, awakes. – Carl Jung.[/font]

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply