Back up the master key and certificate that are used for TDE to a safe location. The master key and certificate are required to restore backups that were taken when the database was encrypted with TDE. After you remove the database encryption key, take a log backup followed by a fresh full backup of the decrypted database.

Restore a Encrypted Database

In order to perform a successful restore, we’ll need the database master key in the master database in place and we’ll need to restore the certificate used to encrypt the database, but we’ll need to make sure we restore it with the private key. In checklist form:

  • There’s a database master key in the master database.
  • The certificate used to encrypt the database is restored along with its private key.

If this is a new server, or a secondary server, you must recreate the Master Key (with the same password) in the master database and recreate the certificate also in the master database.

USE master
GO

-- Restore Master Key. 
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyPassword01';  
GO  


USE master
GO

-- Restore Certificate
CREATE CERTIFICATE TMycertificate01   
FROM FILE = 'D:\TDE\Mycertificate01_backup'  
WITH PRIVATE KEY   
(  
    FILE = 'D:\TDE\MyMasterKey_backup',  
    DECRYPTION BY PASSWORD = 'MyPassword01'  
);  
GO  

Sources:

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15

https://www.mssqltips.com/sqlservertip/1507/implementing-transparent-data-encryption-in-sql-server-2008/

https://www.mssqltips.com/sqlservertip/3572/recovering-a-sql-server-tde-encrypted-database-successfully/

Last modified: April 20, 2020

Author

Comments

Write a Reply or Comment