Is it possible to create encrypted backups using encrypted by password certificate?

dba.stackexchange https://dba.stackexchange.com/questions/188754

Question

I have encrypted by password certificate, which I want to use for backup encryption. The issue is I am not able to use the certificate (in T-SQL statement or maintenance plan) because I am not able to open it - there seems not to be OPEN CERTIFICATE command.

I want to have certificate encrypted by password as our goal is to have only one user who will be responsible for creating/inserting the certificates in the SQL Server Instances. No one else will be able to export the certificate and restore an encrypted backup.

Is it possible, or in order to have encrypted backups I always must have the certificate encrypted by the database master key?

Was it helpful?

Solution

As far as I can see: No, it is not possible to use a Certificate that is protected by a password with the BACKUP command; the Certificate or Asymmetric Key needs to be protected by the Database Master Key (DMK).

  1. The syntax of the BACKUP command statement does not have means of specifying a password for either a Certificate or Asymmetric Key. No, you do not OPEN a Certificate (or even an Asymmetric Key). You only OPEN Symmetric Keys and Database Master Keys (which are symmetric keys).

  2. When attempting to use a Certificate that has been protected with a password, the following error occurs (emphasis added):

    Msg 33101, Level 16, State 1, Line 123
    Cannot use certificate 'BackupEncryption', because its private key is not present or it is not protected by the database master key. SQL Server requires the ability to automatically access the private key of the certificate used for this operation.

I had high hopes that creating a Certificate that was protected by the DMK which had its protection by the Service Master Key (SMK) removed would have worked since that usually forces you to first execute OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password'; in order to do anything with the DMK, and I did have to do just that in order to create the Certificate, BUT, once the Certificate was created (and yes, I did execute CLOSE MASTER KEY;), the BACKUP statement still worked without the DMK needing to be explicitly opened. That is odd since the private key of the Certificate shouldn't be usable without executing OPEN, and the private key is definitely required for encrypting stuff (trying to do an encrypted Backup with a Certificate that has had its private key removed will fail).

Sooooo, it looks like you will need to handle this outside of SQL Server. As in:

  1. Execute the backup
  2. encrypt the .bak file

You can accomplish this in a few ways:

  1. Via stored procedure:

    1. BACKUP...
    2. xp_cmdshell to encrypt

  2. SQL Agent Job

    1. T-SQL step executing BACKUP...
    2. OS command OR PowerShell step doing the encryption

  3. CMD script:

    1. SQLCMD.EXE executing BACKUP...
    2. encrypt
Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange
scroll top