TDE after restoring to a Different Instance

  • The Key to TDE is the Encryption Hierarchy.

    master database must have a MASTER KEY (CREATE MASTER KEY while in the master database)
    master database certificate that when the MASTER KEY is present it will encrypt the Certificate. This is so that the Server can decrypt the Private key to get to the Database Encryption Key to decrypt the data as it flows from the disk to the Buffer Pool.
    User Database DATABASE ENCRYPTION KEY and it is encrypted by the Certificate which is encrypted by the MASTER KEY which is encrypted by the Service Master Key.

    So when you restored the Certificate in the 2nd instance, it was encrypted by the MASTER KEY in the master database and allowed the restore to take place because you restored the certificate used to encrypt the DATABASE ENCRYPTION KEY in the User Database.

    There is really no need to regenerate the master key in the User Database unless you are using that key for something like Symmetric key encryption or something.  So you should not have to worry about the Master Key in the User Database.



    Ben Miller
    Microsoft Certified Master: SQL Server, SQL MVP
    @DBAduck - http://dbaduck.com

Viewing post 16 (of 15 total)

You must be logged in to reply to this topic. Login to reply