Hello:
I'm working with two sql servers instances, ServerA and ServerB, which run under two different service accounts on different machines. They both have a database, DatabaseA, that has some encrypted fields.
If I take a backup of DatabaseA on ServerA and restore it on ServerB, I need to re-encrypt the Database Master Key (DMK) with the Service Master Key (SMK) as follows:
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'pwd used to encrypt DMK'
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
However, if I again take a backup on ServerB and then restore it on ServerA, I can use the DMK on ServerA without re-encrypting it with the SMK.
Shouldn't I have to re-encrypt the DMK with the SMK everytime I restore from a backup that was generated from a different server?
Thanks,
Cyndi
After the initial RESTORE and ALTER MASTER KEY … ADD ENCRYPTION BY SERVER MASTER KEY on ServerB, a redundant copy of the DBMK (protected by ServerB SMK) will be stored in the mater DB; and as long as the DBMK is the same, the copies should be synchronized. This redundant copy is there to minimize the DBMK management after the initial setup (via RESTORE).
I hope this information helps. Please let us know if you have any additional questions and/or if you have any additional feedback.
Thanks a lot,
-Raul Garcia
SDE/T
SQL Server Engine
No comments:
Post a Comment