I had a SQL database on a previous server, of which I had a master key and certificate creating using the following syntax:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'AReallyReallyReallySecurePassword!!!!!'
CREATE CERTIFICATE CPCertificate01 WITH SUBJECT = 'CP Certificate'
CREATE SYMMETRIC KEY SSN_Key_01 WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE CPCertificate01
I've done a backup of this database, and now restored it onto a new server (fresh install of SQL Server as well).
When I try to run commands against the database, I get this error:
Cannot find the symmetric key 'SSN_Key_01', because it does not exist
or you do not have permission.
However if I run this code...
select * from sys.symmetric_keys
...I can see SSN_Key_01 listed in the result set.
I also get other errors relating the master key not existing.
Can anyone please guide me as to how I can recreate the encryption settings on the new server without losing any of my data? I still have access to the old server if required. Thanks.
Related
I moved some jobs from sql 2012 to sql 2016, and I got the error:
Environment reference Id: NULL. Description: Please create a master key in the database or open the master key in the session before performing this operation. Source: .Net SqlClient Data
I want to delete the master key at source and then script out the jobs and then “paste” them in the new sql 2016. (this could be a ‘fix’, right?)
My questions are:
How can I delete the master key in the source server?
Is it a few jobs using this master key, or all of them require this master key?
Is this “master key” the below? (not sure if the master key is ‘jobs’ or ‘ssis’ level…)
Does the master key has like a login name, or is it just a password?
If deleting the master key (not sure if it is one or many) may be risky… I can try contacting the previous DBA we had, and ask for this password.
Environment: Win 2012 and SQL 2014 Standard edition.
Issue: I am doing a daily restore of the production database into our test server. The production database has a encryption key. The restore to the test server is a SQL Job that runs nightly.
Items Tried: I have tried to include a step in the sql job to decrypt the key in the test environment: open master key decryption by password = ''. I have tried using EXEC, sp_executesql and embedding the commands in a stored procedure. The only thing that really works of when I open up management studio and run the command manually.
Results From the Job: The job runs successfully but does nothing. I adding logging and there is nothing indicating any errors. All the log say is Begin Executing.
Question: Does anybody know how I can embed the open master key decryption by password = '' step into the sql job where the command with work.
I think the issue that you have is that you're successfully opening the master key within that session, but other sessions don't see that. You subsequently need to re-encrypt the database master key with the test server's service master key. Luckily, once you've opened the key with the password (as you already have), it's as easy as:
alter master key add encryption by service master key;
Also, you shouldn't need to do anything fancy in your open master key… statement. That is, no need to wrap it in sp_executesql or any of that.
What we are doing is simply shutting down sql server and physically moving mssql folder to another server. After that operation service broker not working correctly. What to do to make service broker work on a new server? What's the correct way to move whole server to a new machine?
We have merge replication which we dont want to reinitiallize. So backup/restore and attach/deattach is not a good option. Any solutions for reanimation of service broker on a new machine? Recreate certificates/create new SB guid (NEW BROKER)?
Alright, we moved folder with database files to fresh new instance of sql server on another machine. After few tests we get the expected error An error occurred while receiving data: '10054(An existing connection was forcibly closed by the remote host.)'. and in SQLProfiler it shows as Connection handshake failed. Error 15581 occurred while initializing the private key corresponding to the certificate. The SQL Server errorlog and the Windows event log may contain entries related to this error. State 88..
So, i've tried to regenerate master keys on both main database and master database. And it worked. Service broker running good on both directions.
USE <dbName>;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password';
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'password';
CLOSE MASTER KEY;
USE master;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password';
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'password';
CLOSE MASTER KEY;
How to move sql database (sql server 2008 r2) from one host server to another if I do not have access to database server so I cannot use Restore from *.bak (it seems the only way to load data is using Generated script, but below are described problems I have)
a) db has Certificate and Symmetric Key
CREATE CERTIFICATE PasswordFieldCertificate
ENCRYPTION BY PASSWORD = 'MyPass'
WITH SUBJECT = 'My DB Certificate'
GO
CREATE SYMMETRIC KEY PasswordFieldSymmetricKey WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE PasswordFieldCertificate;
GO
b) db has encryped Stored Procedure, with Decryption tools, I got the following code for it:
CREATE PROCEDURE [dbo].[Get_Encryption_key] WITH ENCRYPTION
AS
Begin
OPEN SYMMETRIC KEY PasswordFieldSymmetricKey DECRYPTION BY CERTIFICATE PasswordFieldCertificate with PASSWORD='MyPass';
END
The only thing I imagine I can do:
- restore backup locally
- generate script with CREATE and INSERT statements
- run script on newly created db
But I have the following problems:
a) this method doesn't provide anything regarding Certificates and Keys. Should I somehow create those by myself on new db? How to do this properly, so that I have exactly the same algorithm as it was before and all data could be encrypted/decrypted correctly as before on old server.
b) this doesn't allow to generate script for encrypted Stored Procedure, right? Should I run it by myself?
c) when INSERT scripts are generated (using Task -> Generate Script), the result contains very strange symbols that simple cannot be inserted. For example, one insert statement is something like this:
-- this code is generated but when run it shows Incorrect syntax
INSERT [dbo].[Person] (... [EmailAddress]) VALUES (N'紀눬묮䣹疋ⴐǸ)
I could not even copy/paste the full code it doesn't appear. But INSERT statements contain "hieroglyphs". And when running script it shows Incorrect syntax near '紀눬묮䣹疋ⴐǸ'.
P.S.
I have no knowledge about certificates/keys, this is the first time I have to deal with them. Previously I always used simply restore from *.bak file. Unfourtunately, now I cannot upload backup to new host server (at least I do not get how to do that, we are using GoDaddy as new host server).
I have backed up an encrypted DB (symmetric key/certificate) and
restored it on a different server.
Unfortuantely we're having problems with the decryption... hoping
someone can help.
In the restored db, I can see the Symmetric Key and the Certificate in
SSMS, but when I try to Open the key using the cert ( open symmetric
key KeyA decryption by certificate CertB )I get the
following very descriptive error:
Msg 15466, Level 16, State 1, Line 1
An error occurred during decryption.
Any ideas?
Thanks in advance.
http://blogs.msdn.com/lcris/archive/2007/11/16/sql-server-2005-restoring-the-backup-of-a-database-that-uses-encryption.aspx answers this:
"When you restore a database that uses encryption features, there is only one thing you need to take care off - if the database master key (DbMK) needs a service master key (SMK) encryption, you need to regenerate this encryption. Note that this encryption is made by default when you create the DbMK, but it may be intentionally dropped, if you want tighter control of access to the encrypted data. Anyway, if you did have such SMK encryption for the DbMK, the steps to regenerate it are the following:
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password'
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
CLOSE MASTER KEY
That's it - the database encryption features should now work as when the backup was taken. Also note that it doesn't matter if you restore the database on the server where the backup was taken or elsewhere. The only thing that matters for this procedure is that you know one of the passwords protecting the DbMK "
The master key was decrypted by the service master key on the source server and we were decrypting the master key with password on the destination. I altered the master key to be decrypted by the service master key and it's working now.
The problem you are probably experiencing is that the Database Master Key for the servers is different. To my understanding the other keys are based off of this and it could cause problems when trying to decrypt the data. Check out the encryption hierarchy for a description of the steps that go into data encryption.
I hope this answer helps and isn't too off-track. :)
http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/thread/34c9c35c-2d08-4873-abfd-aae40240dfe7/?prof=required
That link worked for me, follow the 2 links to backup/restore
You can do the restore from the destination server using a UNC, you do not have to copy the file.