Restore Open master Key Encryption to Test Environment - sql-server

Environment: Win 2012 and SQL 2014 Standard edition.
Issue: I am doing a daily restore of the production database into our test server. The production database has a encryption key. The restore to the test server is a SQL Job that runs nightly.
Items Tried: I have tried to include a step in the sql job to decrypt the key in the test environment: open master key decryption by password = ''. I have tried using EXEC, sp_executesql and embedding the commands in a stored procedure. The only thing that really works of when I open up management studio and run the command manually.
Results From the Job: The job runs successfully but does nothing. I adding logging and there is nothing indicating any errors. All the log say is Begin Executing.
Question: Does anybody know how I can embed the open master key decryption by password = '' step into the sql job where the command with work.

I think the issue that you have is that you're successfully opening the master key within that session, but other sessions don't see that. You subsequently need to re-encrypt the database master key with the test server's service master key. Luckily, once you've opened the key with the password (as you already have), it's as easy as:
alter master key add encryption by service master key;
Also, you shouldn't need to do anything fancy in your open master key… statement. That is, no need to wrap it in sp_executesql or any of that.

Related

The report server was unable to validate the integrity of encrypted data

The report server was unable to validate the integrity of encrypted data in the database. (rsCannotValidateEncryptedData) .
Could not restore the encryption key, so I deleted the keys and tried to regenerate with rskeymngt with no luck. Getting
'The report server was unable to validate the integrity of encrypted
data in the database. (rsCannotValidateEncryptedData)'
I get that error when accessing http://localhost/ReportServer and when running rskeymgmt -s.
Not sure what next step to take. I have reports that users need to access.
I went into SSRS Configuration Manager > Encryption Keys > click Delete.
When I did that I got the error:
Failed to delete the encryption content in the report server database. Please execute the "DeleteEncryptedContent" stored procedure on the database manually.
To fix it I opened SQL Server Mgmt Studio > expand Databases > right click Report Server > new query and execute:
exec DeleteEncryptedContent
Start > Run > services.msc > Restart the "SQL Server Reporting Service" and its working.
Restarted the services and now everything is working.
So it looks like in order to generate a new key I need to update the Report Server Service account. After that restart the sql server reporting services.
I no longer have the encryption error, but now I am asked for a log in to the data source after clicking on the report. I enter the creds again but get 'The ConnectionString property has not been initialized.'
Just go to the reporting service manager and delete the delete encrypted content or change content now try to connect once more it will be work.
You just need to change database again if you already created then your problem will be solved.
One reason for this could be that the encryption key did not restore correctly. I migrated a report database from one server to another. I restored the encryption key and all seemed well at first but the error the questioner posted started appearing shortly thereafter. Another site had posted a query to look at the keys in the report database (with further instructions of how to delete) and I noticed when I executed it that the SymmetricKey field for my server was NULL. I restored the encryption key again using the Report Server Configuration Manager and noticed that the SymmetricKeys was now populated. I was then able to browse to the report server.

Physically move mssql instance with service broker to another server

What we are doing is simply shutting down sql server and physically moving mssql folder to another server. After that operation service broker not working correctly. What to do to make service broker work on a new server? What's the correct way to move whole server to a new machine?
We have merge replication which we dont want to reinitiallize. So backup/restore and attach/deattach is not a good option. Any solutions for reanimation of service broker on a new machine? Recreate certificates/create new SB guid (NEW BROKER)?
Alright, we moved folder with database files to fresh new instance of sql server on another machine. After few tests we get the expected error An error occurred while receiving data: '10054(An existing connection was forcibly closed by the remote host.)'. and in SQLProfiler it shows as Connection handshake failed. Error 15581 occurred while initializing the private key corresponding to the certificate. The SQL Server errorlog and the Windows event log may contain entries related to this error. State 88..
So, i've tried to regenerate master keys on both main database and master database. And it worked. Service broker running good on both directions.
USE <dbName>;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password';
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'password';
CLOSE MASTER KEY;
USE master;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password';
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'password';
CLOSE MASTER KEY;

SQL Server 2008 R2 Errors running SSIS Package through the Job Agent

I have an SSIS Package that I created through the Import Export (32-bit) Tool. When I executed the package manually through the Execute Package Utility the package run successfully with no issues. However when I try to run the package through a Job Agent in SSMS I keep getting errors. The primary error I get seems to be:
Failed to decrypt protected XML node "DTS:Password" with error
0x8009000B "Key not valid for use in specified state" You may not be
authorized to access this information. This error occurs when there is
a cryptographic error. Verify that the correct key is available.
I'm using SQL Server 2008 R2.
I have researched this error to some degree and I think it has something to do with the package protection level. I feel like I've tried the configurations that make the most sense but none seem to be working for me. The Options are:
Encrypt sensitive data with user key
Do not save sensitive data
Encrypt sensitive data with password
Encrypt all data with user key
Encrypt all data with password
Rely on server storage and roles for access control
I feel like Ishould be using the last option here (Rely on server storage...) because I prefer to use SQL Server Authentication. I use SQL Server Authentication on the 'Choose Destination' window of the SQL Server Import and Export Wizard, and similarly I use this with the same username and password when I create the Job Agent in SSMS on the General Tab of the Job Step Properties. Is it possible that there is something that I need to add to the User I'm using in SSMS - even though it works outside of SSMS?
Something else I wondered that might have an impact is having the option "Drop and Re-create destination table" checked in the Column Mappings window of the Import and Export Tool. I was using a stored procedure to remove the tables before executing the Job Agent and I feel like ti was working at one point - could that have something to do with it?
Again the thing that baffles me most is that it runs no problem when I execute it manually through the 'SQL Server Execute Utility Package' tool.
I've included images of some of the windows I mentioned above if that helps.

moving DB from one host server to another with certificate and encrypted stored procedure

How to move sql database (sql server 2008 r2) from one host server to another if I do not have access to database server so I cannot use Restore from *.bak (it seems the only way to load data is using Generated script, but below are described problems I have)
a) db has Certificate and Symmetric Key
CREATE CERTIFICATE PasswordFieldCertificate
ENCRYPTION BY PASSWORD = 'MyPass'
WITH SUBJECT = 'My DB Certificate'
GO
CREATE SYMMETRIC KEY PasswordFieldSymmetricKey WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE PasswordFieldCertificate;
GO
b) db has encryped Stored Procedure, with Decryption tools, I got the following code for it:
CREATE PROCEDURE [dbo].[Get_Encryption_key] WITH ENCRYPTION
AS
Begin
OPEN SYMMETRIC KEY PasswordFieldSymmetricKey DECRYPTION BY CERTIFICATE PasswordFieldCertificate with PASSWORD='MyPass';
END
The only thing I imagine I can do:
- restore backup locally
- generate script with CREATE and INSERT statements
- run script on newly created db
But I have the following problems:
a) this method doesn't provide anything regarding Certificates and Keys. Should I somehow create those by myself on new db? How to do this properly, so that I have exactly the same algorithm as it was before and all data could be encrypted/decrypted correctly as before on old server.
b) this doesn't allow to generate script for encrypted Stored Procedure, right? Should I run it by myself?
c) when INSERT scripts are generated (using Task -> Generate Script), the result contains very strange symbols that simple cannot be inserted. For example, one insert statement is something like this:
-- this code is generated but when run it shows Incorrect syntax
INSERT [dbo].[Person] (... [EmailAddress]) VALUES (N'紀눬묮䣹疋ⴐǸ)
I could not even copy/paste the full code it doesn't appear. But INSERT statements contain "hieroglyphs". And when running script it shows Incorrect syntax near '紀눬묮䣹疋ⴐǸ'.
P.S.
I have no knowledge about certificates/keys, this is the first time I have to deal with them. Previously I always used simply restore from *.bak file. Unfourtunately, now I cannot upload backup to new host server (at least I do not get how to do that, we are using GoDaddy as new host server).

Absent symmetric key and master key after restoring to new server

I had a SQL database on a previous server, of which I had a master key and certificate creating using the following syntax:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'AReallyReallyReallySecurePassword!!!!!'
CREATE CERTIFICATE CPCertificate01 WITH SUBJECT = 'CP Certificate'
CREATE SYMMETRIC KEY SSN_Key_01 WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE CPCertificate01
I've done a backup of this database, and now restored it onto a new server (fresh install of SQL Server as well).
When I try to run commands against the database, I get this error:
Cannot find the symmetric key 'SSN_Key_01', because it does not exist
or you do not have permission.
However if I run this code...
select * from sys.symmetric_keys
...I can see SSN_Key_01 listed in the result set.
I also get other errors relating the master key not existing.
Can anyone please guide me as to how I can recreate the encryption settings on the new server without losing any of my data? I still have access to the old server if required. Thanks.

Resources