SMKs, DMKs, Certificates for TDE and Encrypted Backups

  • Comments posted to this topic are about the item SMKs, DMKs, Certificates for TDE and Encrypted Backups

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • Excellent Article!

    In the example for an encrypted backup you refer to [MyNewCert], but the certificate is called [MyServerCert]. (Copy/paste issue I guess 😀 )

    Wilfred
    The best things in life are the simple things

  • So, a question for you:

    Why do you think there are so many recommendations for backing up and restoring the DMK when working with TDE databases?

    If I recall, the MS Technet page on moving TDE databases makes no mention of it, so where did people get the idea it was required?

    I think I may have asked this next question elsewhere, but my mind ain't what it used to be, so...

    What is the purpose served by backing up the the SMK? Are there situations where it would need to be restored to resolve an issue, or is it more a "better safe than sorry" sort of thing?

  • Wow. This just pointed out to me how little I know about this.

  • Wilfred van Dijk (12/9/2015)


    Excellent Article!

    In the example for an encrypted backup you refer to [MyNewCert], but the certificate is called [MyServerCert]. (Copy/paste issue I guess 😀 )

    Just testing, well spotted 😉

    jasona.work (12/9/2015)


    So, a question for you:

    Why do you think there are so many recommendations for backing up and restoring the DMK when working with TDE databases?

    Because the people making the recommendations don't understand the DMK or the cert, hence my article. And once more to clarify, you do not need to backup and restore the DMK 😉

    jasona.work (12/9/2015)


    If I recall, the MS Technet page on moving TDE databases makes no mention of it

    The TechNet page is correct in this case (makes a change 😀 ), only the certificate is required.

    jasona.work (12/9/2015)


    What is the purpose served by backing up the the SMK? Are there situations where it would need to be restored to resolve an issue, or is it more a "better safe than sorry" sort of thing?

    The SMK is the encryptor for all instance level encryption such as linked server logins. In event of failure the SMK would be required to decrypt this information.

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • Yeah, you really want to have your SMK and DMK's in more than one place and media. You're SOL w/o a paddle or a canoe, at different levels (SMK vs DMK), if you can't find them when you need them.

  • Great article, this can be a complex area of SQL Server with nasty consequences if you get it wrong.

    qh

    [font="Tahoma"]Who looks outside, dreams; who looks inside, awakes. – Carl Jung.[/font]

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply