简体繁体 English

SQL Server 2005 - 在其他服务器上还原加密的数据库

[英]SQL Server 2005 - Restoring an encrypted DB on a different server

原文 2008-10-16 19:30:11 3 4 sql-server/ sql-server-2005/ encryption/ symmetric-key

I have backed up an encrypted DB (symmetric key/certificate) and restored it on a different server. 我已备份加密的数据库（对称密钥/证书）并在不同的服务器上恢复它。

Unfortuantely we're having problems with the decryption... hoping someone can help. 不幸的是，我们遇到了解密问题......希望有人可以提供帮助。

In the restored db, I can see the Symmetric Key and the Certificate in SSMS, but when I try to Open the key using the cert ( open symmetric key KeyA decryption by certificate CertB )I get the following very descriptive error: 在恢复的数据库中，我可以看到SSMS中的对称密钥和证书，但是当我尝试使用证书打开密钥（证书CertB的开放对称密钥KeyA解密）时，我得到以下非常具有描述性的错误：

Msg 15466, Level 16, State 1, Line 1 An error occurred during decryption. 消息15466，级别16，状态1，行1解密期间发生错误。

Any ideas? 有任何想法吗？

Thanks in advance. 提前致谢。

4 个解决方案

http://blogs.msdn.com/lcris/archive/2007/11/16/sql-server-2005-restoring-the-backup-of-a-database-that-uses-encryption.aspx answers this: http://blogs.msdn.com/lcris/archive/2007/11/16/sql-server-2005-restoring-the-backup-of-a-database-that-uses-encryption.aspx回答这个问题：

"When you restore a database that uses encryption features, there is only one thing you need to take care off - if the database master key (DbMK) needs a service master key (SMK) encryption, you need to regenerate this encryption. Note that this encryption is made by default when you create the DbMK, but it may be intentionally dropped, if you want tighter control of access to the encrypted data. Anyway, if you did have such SMK encryption for the DbMK, the steps to regenerate it are the following: “当您还原使用加密功能的数据库时，只需要注意一件事 - 如果数据库主密钥（DbMK）需要服务主密钥（SMK）加密，则需要重新生成此加密。在创建DbMK时默认进行此加密，但如果您希望更严格地控制对加密数据的访问，则可能会有意删除。无论如何，如果您对DbMK进行了此类SMK加密，则重新生成它的步骤是下列：

OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password' ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY CLOSE MASTER KEY 通过密码打开主密钥解密='密码'更改主密钥通过服务主密钥关闭主密钥加密

That's it - the database encryption features should now work as when the backup was taken. 就是这样 - 数据库加密功能现在应该像备份时一样工作。 Also note that it doesn't matter if you restore the database on the server where the backup was taken or elsewhere. 另请注意，如果您在进行备份的服务器上或其他位置还原数据库，则无关紧要。 The only thing that matters for this procedure is that you know one of the passwords protecting the DbMK " 唯一重要的是这个程序是你知道一个保护DbMK的密码“

The master key was decrypted by the service master key on the source server and we were decrypting the master key with password on the destination. 主密钥由源服务器上的服务主密钥解密，我们在目标上使用密码解密主密钥。 I altered the master key to be decrypted by the service master key and it's working now. 我将主密钥更改为由服务主密钥解密，现在它正在工作。

http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/thread/34c9c35c-2d08-4873-abfd-aae40240dfe7/?prof=required http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/thread/34c9c35c-2d08-4873-abfd-aae40240dfe7/?prof=required

That link worked for me, follow the 2 links to backup/restore 该链接对我有用，请按照2个链接进行备份/恢复

You can do the restore from the destination server using a UNC, you do not have to copy the file. 您可以使用UNC从目标服务器执行还原，而不必复制该文件。

The problem you are probably experiencing is that the Database Master Key for the servers is different. 您可能遇到的问题是服务器的数据库主密钥不同。 To my understanding the other keys are based off of this and it could cause problems when trying to decrypt the data. 根据我的理解，其他密钥基于此，并且在尝试解密数据时可能会导致问题。 Check out the encryption hierarchy for a description of the steps that go into data encryption. 查看加密层次结构，以获取有关数据加密步骤的说明。

I hope this answer helps and isn't too off-track. 我希望这个答案有所帮助，而且不会太偏离轨道。 :) :)