When you are using encryption in SQL Server, it is
extremely important to back up any encryption keys and certificates and
store them in a secure offsite location. For example, if you are using
transparent data encryption, you cannot restore the encrypted database
on a new system without having the encryption key. There is no back
door. You can't attach the data files or restore the database, period.
There are three objects you should back up when using encryption in SQL
Server: the service master key, the database master key, and any
certificates used for encryption.
The service master key is the
root encryption key for the entire instance of SQL Server. SQL Server
automatically creates the service master key the first time it is needed
to encrypt another key. You should back up the service master key and
keep it and the encryption password in a secure offsite location. The
code to back up the service master key is shown in Listing 1.
Example 1. Code to Backup the Service Master Key
BACKUP SERVICE MASTER KEY TO FILE = 'c:\service_master_key' ENCRYPTION BY PASSWORD = '3ncrypti0nP@$$w0rd' GO
|
The next thing you need to
back up is the database master key. SQL Server uses the database master
key to encrypt other keys and certificates within the database. If the
key is accidently deleted, SQL Server will not be able to decrypt any
objects created using that key. Therefore, you should back up the
database master key and store it in a secure offsite location. You
should also keep a local copy for immediate use. If you encrypted the
database master key using a password, you will first have to open the
key before backing it up. If you encrypted the database master key using
the service master key, you do not have to open the key prior to
backing it up. The code to back up the database master key for the
master database is shown in Listing 2.
Example 2. Code to Back Up the Database Master Key
USE master GO --Open the master key (This is not required if the master key -- is encrypted using the service master key.) OPEN MASTER KEY DECRYPTION BY PASSWORD = 'M@$t3r_K3y_3ncrypti0nP@$$w0rd '
--Back up the database master key BACKUP MASTER KEY TO FILE = 'c:\database_master_key' ENCRYPTION BY PASSWORD = '3ncrypti0nP@$$w0rd' GO
|
Finally, you need to back up any certificates and store them in a secure offsite location. The code in Listing 3 shows the syntax used to back up a certificate along with the private key.
Example 3. Code to Back Up a Certificate and the Private Key
USE master
GO
BACKUP CERTIFICATE TestCert
TO FILE = 'C:\TestCert.cer'
WITH PRIVATE KEY
(FILE = 'C:\TestCertKey.pvk',
ENCRYPTION BY PASSWORD = '3ncrypti0nP@$$w0rd');
GO