Post reply

TDE - Restore unencrypted backup to a server running TDE

  • January 20, 2016 at 8:48 am

    #315128

    I have a server with TDE turned on. I have another server without TDE. Can I restore an unencrypted backup onto the TDE server? Will it then be encrypted or do I turn on encryption at the DB level (not server or instance level)?

    Thanks

    ST

  • January 20, 2016 at 9:40 am

    #1853199

    TDE is a database-level setting, not a server/instance setting.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

  • January 20, 2016 at 9:49 am

    #1853204

    Thanks, Gail. Final question. There are plans for both servers to use TDE. Once this is done, I'll need to restore a backup from server A to server B. Do I understand correctly that what I'll need on server B is to import Server A's cert and know the password for Server A's DB backup?

  • January 20, 2016 at 10:02 am

    #1853209

    DB Backups don't have passwords. You'll need to have the same certificates (well, the ones used for TDE) on both servers.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

  • January 20, 2016 at 10:15 am

    #1853216

    you will need to know the password used to protect the certificate from server A in order to import it into server B.

    For security I suggest you then re-encrypt the database with server B's certificate and drop server A's certificate

    ---------------------------------------------------------------------

  • January 21, 2016 at 5:43 am

    #1853442

    Thanks for the responses.

    In our organization we are required to change passwords every N days. I'm not finding clear guidance on this. Should I generate a new certificate with a new password and re-encrypt the DB? Or, should I just update the password? Can you point me to an article?

    Thanks for your help

    ST

  • January 21, 2016 at 6:35 am

    #1853464

    souLTower (1/21/2016)

    Thanks for the responses.

    In our organization we are required to change passwords every N days. I'm not finding clear guidance on this. Should I generate a new certificate with a new password and re-encrypt the DB? Or, should I just update the password? Can you point me to an article?

    I can

    http://blog.dbi-services.com/transparent-data-encryption-key-management-and-backup-strategies/

    ---------------------------------------------------------------------

  • January 21, 2016 at 6:39 am

    #1853466

    Thank you!

    ST

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply