Microsoft SQL Server 2014 for sure is bringing a lot of cool features/enhancements to aid DBAs and Database Developers….and one of my favorite features it has to offer for a DBA is “Native Database Backup Encryption”.
Till SQL Server 2012:
Let’s say you need to send a backup to Vendor and you want it to be encrypted as per your company security policies. Well, there is no way you can create an encrypted SQL Server database backup natively without help of third party backup tools from vendors like RedGate, Dell, Idera etc. If we don’t have any of those backup tools in our shop, our choice will be pretty much restricted to enabling TDE on the database and take a backup which will be automatically encrypted as well(Unfortunately TDE is Enterprise Edition only feature). What if you are running on standard edition?
Starting SQL Server 2014:
All you’ve to do is select a checkbox while taking a backup(if you are using SSMS GUI) or providing few additional switches in your T-SQL backup statement 🙂
Note: We should create Master Key and Certificate to be able to Encrypt the database backup.
Is this Enterprise Only Feature?
Nope 🙂 You can take Encrypted backups in Enterprise,Business Intelligence and Standard Editions.
Do we need to Turn on TDE at database level?
What are the supported Encryption algorithms?
AES_128, AES_192, AES_256, and Triple DES.
So, Now you can Encrypt your database backup in Enterprise,Standard,BI,Developer Editions and an encrypted backup can be restored on any edition(as long as you’ve got certificates 😀 )
Okay folks, now It’s Demo time……I’ve SQL Server 2014 CTP2 Installed in my lab and I created a test database “Tst” for this demo purpose. As of now, it’s a brand new Instance and a brand new database without any keys and certificates.
We’ve to create a Master Key and a Certificate in MASTER Database.(Shown Below)
Step 2: (Am using SSMS for now).
Go to Database Tasks from object Explorer and select backup. In “General” tab , select your database Backup Path and now navigate to “Media Options” tab. This is important…“Backup to existing Media set” is not supported for Encrypted Backups as of SSMS 2014 CTP2. You should select “Backup to a new media set“(Shown below). Am not sure if this intended or Just a bug which will be fixed in RTM.
If not, your encryption section under “Backup Options” tab will be greyed out as you can see in the below screenshot 😦
After selecting your backup path and selecting Backup to new media set, check the Encrypt Backup option in the “Backup Options” tab and select your desired Algorithm and choose the Certificate which we’ve created in Step 1.
Click “OK”. Tadaaaaaaaaaaa……That’s it guys, we’ve created an Encrypted SQL Server Database Backup 🙂
Btw, if you are interested in T-SQL Syntax, here it is…
BACKUP DATABASE [Tst] TO DISK = N'C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Backup\tst_Encrypt.bak'
WITH FORMAT, INIT, MEDIADESCRIPTION = N'tst Bak', MEDIANAME = N'Tst bac',
NAME = N'Tst-Full Database Backup', SKIP, NOREWIND, NOUNLOAD,
ENCRYPTION(ALGORITHM = AES_256, SERVER CERTIFICATE = [Bcks_Cert]), STATS = 10, CHECKSUM
In the next post let’s see how to restore this encrypted backup.