MSSQL .BAK Encryption

MSSQL .BAK Encryption

This post goes over TSQL commands to setup and test encrypted backups for MSSQL. Commands provided are intended to be ran on both a Source and Target instance. These should be ran using an SA account to avoid permission issues. If storage paths don't work, just use c:\temp\ and move accordingly.

Source Server:

--- Creates a database master key

USE master
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'valuehere'
GO

--- Backup master key

BACKUP MASTER KEY
TO FILE = 'd:\backuppath\master.key'
ENCRYPTION BY PASSWORD = 'valuehere'
GO

-- Generate Cert for use with DB Backup

USE master
GO
CREATE CERTIFICATE CertName
WITH SUBJECT = 'Test Server Encryption Certificate'
GO

-- Backup DB w/ Cert

BACKUP DATABASE [testdb]
TO DISK = N'd:\backuppath\test.bak'
WITH
   COMPRESSION,     ENCRYPTION     (     ALGORITHM = AES_256,     SERVER CERTIFICATE = CertName     ),     STATS = 10 GO

-- Backup Cert using Private Key and Path

BACKUP CERTIFICATE CertName TO FILE = 'd:\backuppath\certfilename.cer'
   WITH PRIVATE KEY     (     FILE = 'd:\pathtokey\private.key',     ENCRYPTION BY PASSWORD = 'valuehere'     ) GO

-- Drop Key/Cert from MSSQL Instance

DROP MASTER KEY
DROP CERTIFICATE CertName

Target Server:

Copy over Master/Private Keys DB and Cert from your source server before proceeding.

-- Restore Master Key

RESTORE MASTER KEY
FROM FILE = 'd:\pathto\master.key'
DECRYPTION BY PASSWORD = 'valuehere'
ENCRYPTION BY PASSWORD = 'valuehere'

-- Open Master Key

OPEN MASTER KEY
DECRYPTION BY PASSWORD = 'valuehere'

-- Import Certificate w/ Private Key Value

Create CERTIFICATE CertName
FROM FILE = 'd:\pathto\certfilename.cer'
WITH PRIVATE KEY
   (     FILE = 'd:\pathto\private.key'     DECRYPTION BY PASSWORD = 'valuehere'     ) GO

-- Restore DB w/ Overwrite

RESTORE DATABASE [test]
FROM DISK = 'd:\backup\test.bak'
WITH REPLACE
GO

-- Clear Cert/Key on Source or Target

DROP CERTIFICATE CertName
DROP MASTER KEY