{"id":3680,"date":"2014-03-26T07:55:28","date_gmt":"2014-03-26T06:55:28","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/"},"modified":"2014-03-26T07:55:28","modified_gmt":"2014-03-26T06:55:28","slug":"transparent-data-encryption-key-management-and-backup-strategies","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/","title":{"rendered":"Transparent data encryption, key management and backup strategies"},"content":{"rendered":"<p><img decoding=\"async\" class=\"blog-image aligncenter\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg\" alt=\"\" \/><\/p>\n<p>Transparent Data Encryption requires the creation of a database key encryption. The database key is a part of the hierarchy of SQL Server encryption tree with at the top of the tree the DPAPI. Then if we traverse the tree from the top to bottom we can find the service master key, the database master key, the server certificate or the asymmetric key and finally the database encryption key (AKA the DEK). In this hierarchy each encryption key is protected by its parent. Encryption key management is one of the toughest tasks in cryptography. Managing improperly the encryption keys can compromises the entire security strategy. Here the basis of encryption key:<\/p>\n<ul>\n<li>Limit encryption key access to only those who really need it<\/li>\n<li>Backup encryption keys and secure them. This is important we can restore them in case of corruption or disaster recovery scenarios<\/li>\n<li>Rotate the encryption keys on regular basis. Key rotation based on a regular schedule should be part of the IT policy. Leave the same encryption key in place for lengthy periods of time give hackers and other malicious persons the time to attack it. By rotating your keys regularly your keys become a moving target, much harder to hit.<\/li>\n<\/ul>\n<p>SQL Server uses the ANSI X.917 hierarchical model for key management which has certain advantages over a flat single-model for encryption keys, particularly in terms of key rotation. With SQL Server, rotate the encryption key that protects the database encryption key requires decrypting and reencrypting an insignificantly small amount of symmetric key data and not the entire database.<\/p>\n<p>However manage the rotate of the encryption key is very important. Imagine a scenario with a schedule rotate every day (yes we are paranoid!!!) and you have a strategy backup with a full back up every Sunday and a transaction log backup every night between Monday and Sunday.<\/p>\n<table style=\"border-collapse: collapse\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"width: 64.7pt;border: 1pt solid windowtext;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">Sunday<\/p>\n<\/td>\n<td style=\"width: 64.7pt;border-width: 1pt 1pt 1pt medium;border-style: solid solid solid none;border-color: windowtext windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">Monday<\/p>\n<\/td>\n<td style=\"width: 64.7pt;border-width: 1pt 1pt 1pt medium;border-style: solid solid solid none;border-color: windowtext windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">Tuesday<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: 1pt 1pt 1pt medium;border-style: solid solid solid none;border-color: windowtext windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">Wednesday<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: 1pt 1pt 1pt medium;border-style: solid solid solid none;border-color: windowtext windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">Thursday<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: 1pt 1pt 1pt medium;border-style: solid solid solid none;border-color: windowtext windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">Friday<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: 1pt 1pt 1pt medium;border-style: solid solid solid none;border-color: windowtext windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">Saturday<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 64.7pt;border-right: 1pt solid windowtext;border-width: medium 1pt 1pt;border-style: none solid solid;border-color: -moz-use-text-color windowtext windowtext;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">FULL<\/p>\n<\/td>\n<td style=\"width: 64.7pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">LOG<\/p>\n<\/td>\n<td style=\"width: 64.7pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">LOG<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">LOG<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">LOG<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">LOG<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">LOG<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 64.7pt;border-right: 1pt solid windowtext;border-width: medium 1pt 1pt;border-style: none solid solid;border-color: -moz-use-text-color windowtext windowtext;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">TDE_Cert1<\/p>\n<\/td>\n<td style=\"width: 64.7pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">TDE_Cert2<\/p>\n<\/td>\n<td style=\"width: 64.7pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">TDE_Cert3<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">\u2026<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">\u2026<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">\u2026<\/p>\n<\/td>\n<td style=\"width: 64.75pt;border-width: medium 1pt 1pt medium;border-style: none solid solid none;border-color: -moz-use-text-color windowtext windowtext -moz-use-text-color;padding: 0cm 5.4pt\" valign=\"top\" width=\"86\">\n<p class=\"Paragraph\">\u2026<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Here an interesting question I had to answer: If I have a database page corruption on Thuesday morning that requires a restore of the concerned page from the full backup and the couple of backup logs from Monday to Tuesday does it work with only the third encryption key? In others do I need all the certificates TDE_Cert1, TDE_Cert2 and TDE_Cert3 in this case?<\/p>\n<p>To answer, let\u2019s try with the AdventureWorks2012 database and the table Person.Person.<\/p>\n<p>First we can see the current server certificate used to protect the DEK of the AdventureWorks2012 database (we can correlate with the certificate thumbprint) :<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">SELECT<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">name <span style=\"color: blue\">AS <span style=\"color: teal\">certificate_name<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">pvt_key_encryption_type_desc <span style=\"color: blue\">AS <span style=\"color: teal\">pvt_key_encryption<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">thumbprint<\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">master<span style=\"color: gray\">.<span style=\"color: green\">sys<span style=\"color: gray\">.<span style=\"color: green\">certificates <\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WHERE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">name <span style=\"color: gray\">LIKE <span style=\"color: red\">&#8216;TDE_Cert%&#8217;<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_certificate_1.jpg\" alt=\"billet5_tde_certificate_1\" width=\"581\" height=\"42\" \/><\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">SELECT<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: fuchsia\">DB_NAME<span style=\"color: gray\">(<span style=\"color: teal\">database_id<span style=\"color: gray\">) <span style=\"color: blue\">AS <span style=\"color: teal\">database_name<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">key_algorithm<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">key_length<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">encryptor_type<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">encryptor_thumbprint<\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: green\">sys<span style=\"color: gray\">.<span style=\"color: green\">dm_database_encryption_keys<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WHERE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">database_id <span style=\"color: gray\">= <span style=\"color: fuchsia\">DB_ID<span style=\"color: gray\">(<span style=\"color: red\">&#8216;AdventureWorks2012&#8217;<span style=\"color: gray\">)<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_dek_1.jpg\" alt=\"billet5_tde_dek_1\" width=\"659\" height=\"43\" \/><\/p>\n<p class=\"Paragraph\">Now we perform a full backup of the AdventureWorks2012 database following by the database log backup:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">BACKUP<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DATABASE <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">TO<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB.BAK&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">INIT<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">BACKUP<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: fuchsia\">LOG <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">TO<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB.TRN&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">INIT<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_bckp_1.jpg\" alt=\"billet5_tde_bckp_1\" width=\"558\" height=\"189\" \/><\/p>\n<p>Then according to our rotate strategy we change the old server certificate TDE_Cert by the new one TDE_Cert_2 to protect the DEK<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; Create a new server certificate<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">[master]<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">CREATE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">CERTIFICATE <span style=\"color: teal\">TDE_Cert2<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">SUBJECT <span style=\"color: gray\">= <span style=\"color: red\">&#8216;TDE Certificat 2&#8217;<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; Encrypt the DEK by the new server certificate TDE_Cert_2<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">AdventureWorks2012<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">ALTER<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DATABASE <span style=\"color: blue\">ENCRYPTION <span style=\"color: blue\">KEY <\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">ENCRYPTION<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">BY <span style=\"color: blue\">SERVER <span style=\"color: blue\">CERTIFICATE <span style=\"color: teal\">TDE_Cert_2<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; Drop the old server certificate TDE_Cert <\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">[master]<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">DROP<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">CERTIFICATE <span style=\"color: teal\">TDE_Cert<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">SELECT<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">name <span style=\"color: blue\">AS <span style=\"color: teal\">certificate_name<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">pvt_key_encryption_type_desc <span style=\"color: blue\">AS <span style=\"color: teal\">pvt_key_encryption<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">thumbprint<\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">master<span style=\"color: gray\">.<span style=\"color: green\">sys<span style=\"color: gray\">.<span style=\"color: green\">certificates <\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WHERE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">name <span style=\"color: gray\">LIKE <span style=\"color: red\">&#8216;TDE_Cert%&#8217;<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_dek_2.jpg\" alt=\"billet5_tde_dek_2\" width=\"599\" height=\"42\" \/><\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">SELECT<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: fuchsia\">DB_NAME<span style=\"color: gray\">(<span style=\"color: teal\">database_id<span style=\"color: gray\">) <span style=\"color: blue\">AS <span style=\"color: teal\">database_name<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">key_algorithm<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">key_length<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">encryptor_type<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">encryptor_thumbprint<\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: green\">sys<span style=\"color: gray\">.<span style=\"color: green\">dm_database_encryption_keys<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WHERE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">database_id <span style=\"color: gray\">= <span style=\"color: fuchsia\">DB_ID<span style=\"color: gray\">(<span style=\"color: red\">&#8216;AdventureWorks2012&#8217;<span style=\"color: gray\">)<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_certificate_2.jpg\" alt=\"billet5_tde_certificate_2\" width=\"592\" height=\"37\" \/><\/p>\n<p class=\"Paragraph\">We perform again a new backup log:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">BACKUP<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: fuchsia\">LOG <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">TO<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB_2.TRN&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">INIT<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_bckp_2.jpg\" alt=\"billet5_tde_bckp_2\" width=\"593\" height=\"70\" \/><\/p>\n<p>Finally we repeat the same steps as above a last time (rotate the server certificate and perform a new log backup) :<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; Create a new server certificate<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">[master]<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">CREATE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">CERTIFICATE <span style=\"color: teal\">TDE_Cert3<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">SUBJECT <span style=\"color: gray\">= <span style=\"color: red\">&#8216;TDE Certificat 3&#8217;<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; Encrypt the DEK by the new server certificate TDE_Cert_3<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">AdventureWorks2012<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">ALTER<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DATABASE <span style=\"color: blue\">ENCRYPTION <span style=\"color: blue\">KEY <\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">ENCRYPTION<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">BY <span style=\"color: blue\">SERVER <span style=\"color: blue\">CERTIFICATE <span style=\"color: teal\">TDE_Cert_3<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; Drop the old server certificate TDE_Cert <\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">[master]<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">DROP<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">CERTIFICATE <span style=\"color: teal\">TDE_Cert_2<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">SELECT<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">name <span style=\"color: blue\">AS <span style=\"color: teal\">certificate_name<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">pvt_key_encryption_type_desc <span style=\"color: blue\">AS <span style=\"color: teal\">pvt_key_encryption<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">thumbprint<\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">master<span style=\"color: gray\">.<span style=\"color: green\">sys<span style=\"color: gray\">.<span style=\"color: green\">certificates <\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WHERE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">name <span style=\"color: gray\">LIKE <span style=\"color: red\">&#8216;TDE_Cert%&#8217;<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_certificate_3.jpg\" alt=\"billet5_tde_certificate_3\" width=\"596\" height=\"42\" \/><\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">SELECT<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: fuchsia\">DB_NAME<span style=\"color: gray\">(<span style=\"color: teal\">database_id<span style=\"color: gray\">) <span style=\"color: blue\">AS <span style=\"color: teal\">database_name<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">key_algorithm<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">key_length<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">encryptor_type<span style=\"color: gray\">,<\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: teal\">encryptor_thumbprint<\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: green\">sys<span style=\"color: gray\">.<span style=\"color: green\">dm_database_encryption_keys<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WHERE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">database_id <span style=\"color: gray\">= <span style=\"color: fuchsia\">DB_ID<span style=\"color: gray\">(<span style=\"color: red\">&#8216;AdventureWorks2012&#8217;<span style=\"color: gray\">)<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_dek_3.jpg\" alt=\"billet5_tde_dek_3\" width=\"612\" height=\"42\" \/><\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">BACKUP<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: fuchsia\">LOG <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">TO<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB_3.TRN&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">INIT<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_bckp_3.jpg\" alt=\"billet5_tde_bckp_3\" width=\"616\" height=\"72\" \/><\/p>\n<p>So, we have achieved our backup strategy with a full backup and a sequence of 3 transaction logs backups before to initiate next a database corruption. In the same time we have perform the rotate of 3 server certificates as encryption keys. Now it\u2019s time to corrupt a data page that belongs to the table Person.Person into the AdventureWorks2012 database:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; First we check IAM page to get a page ID that belongs to the Person.Person table<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">DBCC<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">IND<span style=\"color: gray\">(<span style=\"color: teal\">AdventureWorks2012<span style=\"color: gray\">, <span style=\"color: red\">&#8216;Person.Person&#8217;<span style=\"color: gray\">, 1<span style=\"color: gray\">);<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_dbcc_ind_person_person.jpg\" alt=\"billet5_tde_dbcc_ind_person_person\" width=\"592\" height=\"100\" \/><\/p>\n<p>Then we take randomly page from the result with the ID 2840. Then to corrupt quickly the page we use the undocumented DBCC WRITEPAGE as following (\/! Don\u2019t use DBCC WRITEPAGE in production environment \/!)<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">ALTER<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DATABASE <span style=\"color: teal\">AdventureWorks2012 <span style=\"color: blue\">SET <span style=\"color: blue\">SINGLE_USER<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">DBCC<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">WRITEPAGE<span style=\"color: gray\">(<span style=\"color: teal\">AdventureWorks2012<span style=\"color: gray\">, 1<span style=\"color: gray\">, 2840<span style=\"color: gray\">, 0<span style=\"color: gray\">, 2<span style=\"color: gray\">, 0x1111<span style=\"color: gray\">, 1<span style=\"color: gray\">);<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">ALTER<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DATABASE <span style=\"color: teal\">AdventureWorks2012 <span style=\"color: blue\">SET <span style=\"color: blue\">MULTI_USER<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p>We corrupt the page with ID 2840 by introducing at the offset 0 two bytes with a global value of 0x1111. The last directORBufferpool option allows page checksum failures to be simulated by bypassing the bufferpool and flush directly the concerned page to the disk. We have to switch the AdventureWorks2012 database in the single user mode in order to use this option.<\/p>\n<p>No let\u2019s trying to get data from the Person.Person table:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">AdventureWorks2012<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">SELECT<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: gray\">* <span style=\"color: blue\">FROM <span style=\"color: teal\">Person<span style=\"color: gray\">.<span style=\"color: teal\">Person<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p>As expected a logical consistency I\/O error with an incorrect checksum occurs during the reading of the Person.Person table with the following message:<\/p>\n<p style=\"margin-bottom: 0.0001pt;line-height: normal\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_error_consistency.jpg\" alt=\"billet5_tde_error_consistency\" width=\"590\" height=\"143\" \/><\/p>\n<p>At this point we had two options:<\/p>\n<ul>\n<li>Trying to run DBCC CHECKDB and the REPAIR option but we can likely loss data in this case<\/li>\n<li>Restore the page ID 2840 from a consistent full back up and the necessary sequence of transaction log backups after taking a tail log backup<\/li>\n<\/ul>\n<p>We are reasonable and we decide to restore the page 2840 from the necessary backups but first we have to take a tail log backup:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">[master]<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; tail log backup<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">BACKUP<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: fuchsia\">LOG <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">TO<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_TAILLOG.TRN&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">NORECOVERY<span style=\"color: gray\">, <span style=\"color: blue\">INIT<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<p>&#8230;<\/p>\n<p>Now we begin our restore process by trying to restore the concerned page from the full backup but we encounter the first problem:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: green\">&#8212; Restore the page ID 2840 from the full backup<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">RESTORE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">DATABAE <span style=\"color: teal\">AdventureWorks2012<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">PAGE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: gray\">= <span style=\"color: red\">&#8216;1:2840&#8217;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB.BAK&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">NORECOVERY<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_restore_page_full_backup_error.jpg\" alt=\"billet5_tde_restore_page_full_backup_error\" width=\"626\" height=\"81\" \/><\/span><\/span><\/p>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p>According to the above error message we can\u2019t restore the page from this full backup media because it is protected by a server certificate. The displayed thumbprint corresponds to the TDE_Cert certificate which has been deleted during the rotate operation. At this point we can understand why it is important to have a backup of the server certificate stored somewhere. We can remember here the basis of encryption and key management.<\/p>\n<p>Of course we are safe and we performed a backup of each server certificate after their creation and thus we can restore the server certificate TDE_Cert:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">[master]<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">CREATE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">CERTIFICATE <span style=\"color: teal\">TDE_Cert<\/span><\/span><\/span><\/span><\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">FILE <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPTDE_Cert.cer&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">PRIVATE <span style=\"color: blue\">KEY<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: gray\">(<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: blue\">FILE <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPTDE_Cert.pvk&#8217;<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: blue\">DECRYPTION <span style=\"color: blue\">BY <span style=\"color: blue\">PASSWORD <span style=\"color: gray\">= <span style=\"color: red\"><a href=\"mailto:'P@$$w0rd'\">&#8216;P@$$w0rd&#8217;<\/a><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: gray\">);<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #a6a6a6\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p>Then if we try to restore the page from the full database backup it works now:<\/p>\n<p style=\"margin-bottom: 0.0001pt;line-height: normal\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_restore_page_full_backup_success.jpg\" alt=\"billet5_tde_restore_page_full_backup_success\" width=\"622\" height=\"137\" \/><\/p>\n<p>To continue with the restore process we have now to restore the transaction log backup sequence with beginning with the ADVENTUREWORKS2012_DB.TRN media:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">RESTORE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: fuchsia\">LOG <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB.TRN&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">NORECOVERY<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_restore_page_full_backup_success.jpg\" alt=\"billet5_tde_restore_page_full_backup_success\" width=\"612\" height=\"134\" \/><\/span><\/span><\/p>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p>Then we try to restore the second transaction log backup ADVENTUREWORKS2012_DB_2.TRN and we face to the same problem as the earlier full backup. To open the backup media we have before to restore the certificate with the thumbprint displayed below:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">RESTORE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: fuchsia\">LOG <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB_2.TRN&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">NORECOVERY<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_restore_page_tran_log_backup_1_success.jpg\" alt=\"billet5_tde_restore_page_tran_log_backup_1_success\" width=\"506\" height=\"111\" \/><\/span><\/span><\/p>\n<p>Ok we have to restore the TDE_Cert_2 certificate \u2026<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">CREATE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">CERTIFICATE <span style=\"color: teal\">TDE_Cert_2<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">FILE <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPTDE_Cert_2.cer&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">PRIVATE <span style=\"color: blue\">KEY<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: gray\">(<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: blue\">FILE <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPTDE_Cert_2.pvk&#8217;<span style=\"color: gray\">,<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: blue\">DECRYPTION <span style=\"color: blue\">BY <span style=\"color: blue\">PASSWORD <span style=\"color: gray\">= <span style=\"color: red\"><a href=\"mailto:'P@$$w0rd'\">&#8216;P@$$w0rd&#8217;<\/a><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: gray\">);<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p>\u2026 And we retry to restore the second transaction log. As expected it works:<\/p>\n<p style=\"margin-bottom: 0.0001pt;line-height: normal\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_restore_page_tran_log_backup_2_success.jpg\" alt=\"billet5_tde_restore_page_tran_log_backup_2_success\" width=\"619\" height=\"94\" \/><\/p>\n<p>At this point, we have only two transaction log backups to restore: ADVENTUREWORKS2012_DB_3.TRN and the tail log backup ADVENTUREWORKS2012_DB_TAILLO.TRN. Fortunately, these last two backup Medias are encrypted by the TDE_Cert_3 which is the current server certificate that protects the DEK.<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">RESTORE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: fuchsia\">LOG <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB_3.TRN&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">NORECOVERY<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_restore_page_tran_log_backup_3_success.jpg\" alt=\"billet5_tde_restore_page_tran_log_backup_3_success\" width=\"634\" height=\"101\" \/><\/span><\/span><\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">RESTORE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: fuchsia\">LOG <span style=\"color: teal\">[AdventureWorks2012]<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">FROM<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">DISK <span style=\"color: gray\">= <span style=\"color: red\">&#8216;E:SQLSERVERENCRYPTEDBACKUPADVENTUREWORKS2012_DB_TAILLOG.TRN&#8217;<\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">WITH<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: blue\">RECOVERY<span style=\"color: gray\">, <span style=\"color: green\">STATS <span style=\"color: gray\">= 10<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\">\u00a0<\/span><\/span><\/p>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_restore_page_tran_log_backup_4_success.jpg\" alt=\"billet5_tde_restore_page_tran_log_backup_4_success\" width=\"626\" height=\"102\" \/><\/span><\/span><\/p>\n<p>The restore process is now finished and we can now reading data from the Person.Person table without problem:<\/p>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">USE<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: teal\">AdventureWorks2012<span style=\"color: gray\">;<\/span><\/span><\/span><\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">GO<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas\">\u00a0<\/span><\/div>\n<div style=\"margin-bottom: 0.0001pt;line-height: normal;background: none repeat scroll 0% 0% #bfbfbf\"><span style=\"font-size: 9.5pt;font-family: Consolas;color: blue\">SELECT<span style=\"font-size: 9.5pt;font-family: Consolas\"> <span style=\"color: gray\">* <span style=\"color: blue\">FROM <span style=\"color: teal\">Person<span style=\"color: gray\">.<span style=\"color: teal\">Person<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n<p class=\"Paragraph\"><span style=\"color: red\"><span style=\"color: #000000\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet5_tde_select_person_person_table.jpg\" alt=\"billet5_tde_select_person_person_table\" width=\"618\" height=\"96\" \/><\/span><\/span><\/p>\n<p>\u2026<\/p>\n<p>To summarize, in this post we have seen the importance of a good key management with the backup \/ restore strategy. Of course we took a paranoid scenario to highlight quickly the problem but you can transpose easily the same in a normal context with a fair rotate schedule of the encryptions keys either if it is a server certificate, an asymmetric key or a third party tool. And you, how do you manage your backup strategy with the rotate of encryption keys?<\/p>\n<p><span style=\"float: none;background-color: #ffffff;color: #333333;cursor: text;font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif;font-size: 16px;font-style: normal;font-variant: normal;font-weight: 400;letter-spacing: normal;text-align: left;text-decoration: none;text-indent: 0px;text-transform: none\">By David Barbarin<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Transparent Data Encryption requires the creation of a database key encryption. The database key is a part of the hierarchy of SQL Server encryption tree with at the top of the tree the DPAPI. Then if we traverse the tree from the top to bottom we can find the service master key, the database master [&hellip;]<\/p>\n","protected":false},"author":26,"featured_media":3556,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[198],"tags":[447,51,448,449],"type_dbi":[],"class_list":["post-3680","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-database-management","tag-encryption","tag-sql-server","tag-tde","tag-transparent-data-encryption"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Transparent data encryption, key management and backup strategies - dbi Blog<\/title>\n<meta name=\"description\" content=\"Transparent data encryption, key management and backup strategies\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Transparent data encryption, key management and backup strategies\" \/>\n<meta property=\"og:description\" content=\"Transparent data encryption, key management and backup strategies\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2014-03-26T06:55:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"473\" \/>\n\t<meta property=\"og:image:height\" content=\"164\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/\"},\"author\":{\"name\":\"Microsoft Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4\"},\"headline\":\"Transparent data encryption, key management and backup strategies\",\"datePublished\":\"2014-03-26T06:55:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/\"},\"wordCount\":1680,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg\",\"keywords\":[\"encryption\",\"SQL Server\",\"TDE\",\"Transparent data encryption\"],\"articleSection\":[\"Database management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/\",\"name\":\"Transparent data encryption, key management and backup strategies - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg\",\"datePublished\":\"2014-03-26T06:55:28+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4\"},\"description\":\"Transparent data encryption, key management and backup strategies\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg\",\"width\":473,\"height\":164},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Transparent data encryption, key management and backup strategies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4\",\"name\":\"Microsoft Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g\",\"caption\":\"Microsoft Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/microsoft-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Transparent data encryption, key management and backup strategies - dbi Blog","description":"Transparent data encryption, key management and backup strategies","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/","og_locale":"en_US","og_type":"article","og_title":"Transparent data encryption, key management and backup strategies","og_description":"Transparent data encryption, key management and backup strategies","og_url":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/","og_site_name":"dbi Blog","article_published_time":"2014-03-26T06:55:28+00:00","og_image":[{"width":473,"height":164,"url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg","type":"image\/jpeg"}],"author":"Microsoft Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Team","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/"},"author":{"name":"Microsoft Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4"},"headline":"Transparent data encryption, key management and backup strategies","datePublished":"2014-03-26T06:55:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/"},"wordCount":1680,"commentCount":0,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg","keywords":["encryption","SQL Server","TDE","Transparent data encryption"],"articleSection":["Database management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/","url":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/","name":"Transparent data encryption, key management and backup strategies - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg","datePublished":"2014-03-26T06:55:28+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4"},"description":"Transparent data encryption, key management and backup strategies","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_SQLServer_20140326-103734_1.jpg","width":473,"height":164},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/transparent-data-encryption-key-management-and-backup-strategies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Transparent data encryption, key management and backup strategies"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4","name":"Microsoft Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g","caption":"Microsoft Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/microsoft-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/3680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=3680"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/3680\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media\/3556"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=3680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=3680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=3680"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=3680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}