Quick note:
SQL management studio dont allow encrypted database to be added from the GUI. So we have the following work around to have encrypted database in msSQL2014 AlwaysON.
Briefly the procedure is as follows:
Primary node : add master key, create a certificate, backup key and certificate.
Primary node : create a dummy database, create the main database which will be encrypted.
Primary node : encrypt main database, backup the database.
Secondary node: import the key and certificate
Secondary node: restore encrypted database.
Primary node : create AG with the dummy database and both node as asycn, manual failover.
Primary node : add the main encrypted database using SQL command.
Secondary node: add the main database using SQL.
Primary node : change failover and sync mode to auto and sync.
In detail the procedure is described in sequence:
Primary node:
/* create master key*/
USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘V3RyC0mplicated#K3Y’;
/* create certificate*/
Use Master
GO
CREATE CERTIFICATE cryptdbcert
WITH SUBJECT = ‘crype db certificate’;
GO
/* database encryption */
USE cryptdb
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE [cryptdbcert]
GO
ALTER DATABASE [cryptdb] SET ENCRYPTION ON
GO
then take a backup of the master key and the certificate. keep the files in a secure place and copy securely to secondary node.( which will be imported into the secondary database)
/* backup master key*/
backup master key
to file = ‘c:cryptdb_master_key.key’
encryption by password = ‘V3RyC0mplicated#K3Y’;
go
/* backup certificate*/
backup certificate prod1cert
to file = ‘c:cryptdbcert.crt’;
go
/* backup the database */
BACKUP DATABASE cryptdb
TO DISK = ‘c:cryptdb-encrypted backup.trn’
With compression,
ENCRYPTION
(
ALGORITHM = AES_128,
SERVER CERTIFICATE = [cryptdbcert]
);
GO
BACKUP LOG cryptdb
TO DISK = ‘c:cryptdb-log.bak’
WITH INIT, STATS ;
GO
After this step create a dummy database which will be used to create availability group.
once AG is created add the encrypted database into the AG by the following SQL:
ALTER AVAILABILITY GROUP tde ADD DATABASE cryptdb
On the secondary node:
Copy the certificate and key that was backup in primary node to secondary node. Then import the certificate by the following( assuming the files are copied in C: drive)
/* import certificate */
CREATE CERTIFICATE cryptdbcert
FROM FILE = ‘C:cryptdbcert.crt’
WITH PRIVATE KEY
( FILE = ‘c:cryptdb_master_key.key’,
DECRYPTION BY PASSWORD = ‘V3RyC0mplicated#K3Y’);
GO
Now import encrypted database using management studio:
<< this is very important “restore with no recovery”
the join cryptdb in secondary node into AG by simply right clicking it.!
Now you can check AG status from the dashboard.
Should you have any query don’t hesitate to ask me.
Cheers
Jamal Ahmed
jahmed@zoonetix.com