Encrypting a SQL Server database backup is necessary in many cases, especially when the database has sensitive data.
SQL Server provides an easy way to encrypt database backups.
Let’s further examine this functionality with a step-by-step example.
In this example, we are going to backup a SQL Server 2014 database, encrypt it, and then restore it on a SQL Server 2016 instance. The sample database’s name is “TestDB1” (not quite an original name for a database 🙂
In SQL Server Management Studio, if we right-click on the database and go to “Tasks”, “Back Up…”, we are presented with the well-known backup dialog:
If we go to “Backup Options” we see that there is a checkbox named “Encrypt Backup”. By default, this is not available as you prior need to set a new media set in “Media Options”. It will be made available, only if you set a new media set.
Strengthen your SQL Server Administration Skills – Enroll to our Online Course!
Via the course, you will learn essential hands-on SQL Server Administration tips on SQL Server maintenance, security, performance, integration, error handling and more. Many live demonstrations and downloadable resources included!
Lifetime Access / Live Demos / Downloadable Resources and more!
So, we now navigate to “Media Options”, and select to Backup to a new media set by setting up the new media set’s name and description:
Now, if we navigate back to “Backup Options”, we can see that we can check the “Encrypt Backup” checkbox and select an encryption algorithm, but still we need a backup certificate or asymmetric key:
So, we go back to the query window and create a backup certificate for the database as per below example (always use strong passwords, oh well, at least stronger than the one in this example 🙂
--Create Database Master Key and Encrypt it with a Strong Password
USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyComplexMasterKeyPassword';
GO
--Create Backup Certificate
USE master;
GO
CREATE CERTIFICATE TestDB1BackupEncryptCert
WITH SUBJECT = 'TestDB1 Backup Encryption Certificate';
GO
--IMPORTANT NOTE: It is critical that you backup the master DB key and the database backup certificate to a secure location
--Backup Master DB Key
BACKUP MASTER KEY
TO FILE = 'c:\tmp\MasterKey.key'
ENCRYPTION BY PASSWORD = 'S3curePass!';
GO
--Export the Backup Certificate to a File
BACKUP CERTIFICATE TestDB1BackupEncryptCert TO FILE = 'c:\tmp\TestDB1Cert.cert'
WITH PRIVATE KEY (
FILE = 'c:\tmp\TestDB1CertKey',
ENCRYPTION BY PASSWORD = 'S3curePassCert!')
Note that the above file keys are created by the service account that runs SQL Server Database Engine and it is the only user that has full access. In order to get access to these files, if you are a local administrator on the machine running SQL Server, you can do so by editing the permissions (via Advanced dialog).
Now, let’s try again to take an encrypted backup of the database:
As you can see, backup was successful. Now, the backup file create is encrypted with the newly created backup certificate.
Now, let’s try to restore the encrypted database backup set to another instance of SQL Server (instance name: “DEMO-PC1”, it is a default instance name).
First, for illustration purposes, let’s just try to restore it without creating a backup certificate on the destination SQL Server instance:
As you can see, it was not possible to restore the encrypted database.
Now, let’s try again but this time prior to running the restore command, we re-create the master DB key as well as the database backup certificate (based on the exported cert/key) on the destination SQL Server instance:
--Recreate master DB key on destination SQL Server instance
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'S3curePass!';
GO
--Restore the Certificate Based on the Previously Exported Key/Cert files
CREATE CERTIFICATE TestDB1BackupEncryptCert
FROM FILE = 'c:\tmpBackups\keys\TestDB1Cert.cert'
WITH PRIVATE KEY (FILE = 'c:\tmpBackups\keys\TestDB1CertKey',
DECRYPTION BY PASSWORD = 'S3curePassCert!');
GO
--Restore Encrypted Database 'TestDB1'
RESTORE DATABASE [TestDB1]
FROM DISK = 'c:\tmpBackups\TestDB1.bak'
WITH MOVE 'TestDB1' TO 'C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\TestDB1_Data.mdf',
MOVE 'TestDB1_Log' TO 'C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\TestDB1_Log.ldf';
GO
As you can see, now the encrypted database has been successfully restored on the destination SQL Server instance:
This article explained by example, a way of encrypting a SQL Server database backup using SQL Server’s built-in security mechanisms and restoring it in another SQL Server instance. Encryption is a very powerful feature in SQL Server and must be used wisely.
SQL Server is a powerful data platform that provides all the necessary mechanisms for achieving almost anything you would like to do with your data. All these mechanisms are built-in and can be easily used just like in this example, where we encrypted a database backup and then restored it on another SQL Server instance.
Watch a Video from our YouTube Channel: How to Secure Your SQL Server Instances
Artemakis Artemiou is a Senior SQL Server Architect, Author, a 9 Times Microsoft Data Platform MVP (2009-2018). He has over 20 years of experience in the IT industry in various roles. Artemakis is the founder of SQLNetHub and {essentialDevTips.com}. Artemakis is the creator of the well-known software tools Snippets Generator and DBA Security Advisor. Also, he is the author of many eBooks on SQL Server. Artemakis currently serves as the President of the Cyprus .NET User Group (CDNUG) and the International .NET Association Country Leader for Cyprus (INETA). Moreover, Artemakis teaches on Udemy, you can check his courses here.
Views:5,702
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Read More
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Loading... 