SQL 服务器迁移和加密问题
SQL Server Migration and Encryption issue
我有些困惑,需要一些帮助。我们正在将 SQL Server 2014 企业版从本地迁移到 AWS SQL Server 2017 企业系统。
当前系统包含用于列级加密的 TDE 和对称密钥加密。这就是乐趣的开始。我能够将数据库恢复到新的 2017 实例,恢复后 TDE 正常工作。对称密钥列级加密不起作用。
使用以下代码创建的对称加密:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'passwowrd';
CREATE CERTIFICATE AUPW WITH SUBJECT = 'AccountsUsers-Credentials';
CREATE SYMMETRIC KEY AccountsUsers_Credentials
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE AUPW;
然后我采取以下步骤尝试将主密钥和对称密钥恢复到新服务器。
在 SQL Server 2014 实例上:
OPEN MASTER KEY DECRYPTION BY PASSWORD = N'password';
GO
BACKUP MASTER KEY
TO FILE = N'...\MSSQL\DATA\masterkey.dmk'
ENCRYPTION BY PASSWORD = 'password'
GO
BACKUP CERTIFICATE AUPW
TO FILE ='...\MSSQL\DATA\AUPW.cer'
WITH PRIVATE KEY
(FILE ='...\MSSQL\DATA\AUPW.pk', ENCRYPTION BY PASSWORD ='password')
在 SQL Server 2017 实例上,恢复数据库并确保 TDE 正常工作且数据库可访问后,我尝试 运行 以下代码:
USE NewDB
GO
RESTORE MASTER KEY
FROM FILE = N'...\MSSQL\DATA\Masterkey.dmk'
decryption by password = 'password'
encryption by password = 'password'
GO
CREATE CERTIFICATE AUPW FROM FILE ='...\MSSQL\DATA\AUPW.cer'
WITH PRIVATE KEY(FILE='...\MSSQL\DATA\AUPW.pk',
DECRYPTION BY PASSWORD='password',
ENCRYPTION BY PASSWORD='password');
但是,当我 运行 RESTORE MASTER KEY 命令时,出现以下错误:
Msg 15329, Level 16, State 30, Line 43
The current master key cannot be decrypted. If this is a database master key, you should attempt to open it in the session before performing this operation. The FORCE option can be used to ignore this error and continue the operation but the data encrypted by the old master key will be lost.
我尝试打开主密钥,但出现错误,但我使用的密码与备份 DBMK 时打开主密钥的密码相同。
Msg 15313, Level 16, State 1, Line 41
The key is not encrypted using the specified decryptor.
强制选项也不起作用,创建新的主密钥也不起作用。
有人看到我在这里做错了什么吗?我现在唯一能想到的另一件事是在迁移之前关闭所有加密,但我不太喜欢这个选项。
感谢帮助。
目标中出现错误的原因是服务主密钥(在 SQL 服务器实例级别)在目标中与源中不同。
数据库主密钥由源服务器上的服务主密钥加密。
Refer to article
因此,在源代码中,首先您需要删除服务主密钥的加密并添加额外的密码加密,然后再进行备份。
alter master key add encryption by password = 'Pass@1234'
alter master key drop encryption by service master key
Post还原,在目的地,您必须按照以下步骤操作:
open master key decryption by password = 'Pass@1234'
alter master key add encryption by service master key
alter master key drop encryption by password = 'Pass@1234'
参考以下文章:
我有些困惑,需要一些帮助。我们正在将 SQL Server 2014 企业版从本地迁移到 AWS SQL Server 2017 企业系统。
当前系统包含用于列级加密的 TDE 和对称密钥加密。这就是乐趣的开始。我能够将数据库恢复到新的 2017 实例,恢复后 TDE 正常工作。对称密钥列级加密不起作用。
使用以下代码创建的对称加密:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'passwowrd';
CREATE CERTIFICATE AUPW WITH SUBJECT = 'AccountsUsers-Credentials';
CREATE SYMMETRIC KEY AccountsUsers_Credentials
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE AUPW;
然后我采取以下步骤尝试将主密钥和对称密钥恢复到新服务器。
在 SQL Server 2014 实例上:
OPEN MASTER KEY DECRYPTION BY PASSWORD = N'password';
GO
BACKUP MASTER KEY
TO FILE = N'...\MSSQL\DATA\masterkey.dmk'
ENCRYPTION BY PASSWORD = 'password'
GO
BACKUP CERTIFICATE AUPW
TO FILE ='...\MSSQL\DATA\AUPW.cer'
WITH PRIVATE KEY
(FILE ='...\MSSQL\DATA\AUPW.pk', ENCRYPTION BY PASSWORD ='password')
在 SQL Server 2017 实例上,恢复数据库并确保 TDE 正常工作且数据库可访问后,我尝试 运行 以下代码:
USE NewDB
GO
RESTORE MASTER KEY
FROM FILE = N'...\MSSQL\DATA\Masterkey.dmk'
decryption by password = 'password'
encryption by password = 'password'
GO
CREATE CERTIFICATE AUPW FROM FILE ='...\MSSQL\DATA\AUPW.cer'
WITH PRIVATE KEY(FILE='...\MSSQL\DATA\AUPW.pk',
DECRYPTION BY PASSWORD='password',
ENCRYPTION BY PASSWORD='password');
但是,当我 运行 RESTORE MASTER KEY 命令时,出现以下错误:
Msg 15329, Level 16, State 30, Line 43
The current master key cannot be decrypted. If this is a database master key, you should attempt to open it in the session before performing this operation. The FORCE option can be used to ignore this error and continue the operation but the data encrypted by the old master key will be lost.
我尝试打开主密钥,但出现错误,但我使用的密码与备份 DBMK 时打开主密钥的密码相同。
Msg 15313, Level 16, State 1, Line 41
The key is not encrypted using the specified decryptor.
强制选项也不起作用,创建新的主密钥也不起作用。
有人看到我在这里做错了什么吗?我现在唯一能想到的另一件事是在迁移之前关闭所有加密,但我不太喜欢这个选项。
感谢帮助。
目标中出现错误的原因是服务主密钥(在 SQL 服务器实例级别)在目标中与源中不同。
数据库主密钥由源服务器上的服务主密钥加密。 Refer to article
因此,在源代码中,首先您需要删除服务主密钥的加密并添加额外的密码加密,然后再进行备份。
alter master key add encryption by password = 'Pass@1234'
alter master key drop encryption by service master key
Post还原,在目的地,您必须按照以下步骤操作:
open master key decryption by password = 'Pass@1234'
alter master key add encryption by service master key
alter master key drop encryption by password = 'Pass@1234'
参考以下文章: