TDE Certificate for DB Restore

Question

Post reply

TDE Certificate for DB Restore

GonnaCatchIT

SSCrazy

Points: 2797
More actions
September 10, 2018 at 2:49 am

#372560

Dear All,

I have a query regarding restoring a TDE enabled Database on another SQL instance.
I understand to restore a TDE DB , we also have to import the Certificate in the target master DB.

Questions::
1. Should this be done on every restore or this could be a one time activitiy only. Meaning, import the Cert only once.
2. I assume cert needs a password, so if password has been changed since last restore, then cert needs to be imported again?

Thanks.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply

Steve Jones - SSC Editor SSC Guru Points: 728159 More actions · Answer 1

One time import. The thumbprint is the same thumbprint.

If the password changes, do you mean the password for the backup of the cert? Or the certificate itself? If you have the certificate encrypted by the database master key in master, you're fine. Or you should be. I'll try to test.

You might need to do this, but certainly keep track of the pwd. In case of DR, you shouldn't necessarily depend on any particular server.

Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com

GonnaCatchIT SSCrazy Points: 2797 More actions · Answer 2

Thanks for the Feedback Steve..

If the password changes, do you mean the password for the backup of the cert? Or the certificate itself? If you have the certificate encrypted by the database master key in master, you're fine. Or you should be. I'll try to test.
-- Password for the Certificate itself.
I believe the Pwd for Backup cert is for safety - in case of any DB issues.

Steve Jones - SSC Editor SSC Guru Points: 728159 More actions · Answer 3

From what I understand, if you're changing the password, I believe this means you're exporting the cert again with a new password on the private key file. That's essentially a backup. I don't think you can actually change the password in place, but I may be wrong.

I don't believe this changes the cert at all, just that this means that if you need to import this on a new instance, you'd need the new password. However, the existing cert in master should still decrypt the TDE files/backups.

Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com