Backup-DbaServiceMasterKey

Want to see the source code for this command? Check out Backup-DbaServiceMasterKey on GitHub.
Want to see the Bill Of Health for this command? Check out Backup-DbaServiceMasterKey.

Synopsis

Exports SQL Server Service Master Key to an encrypted backup file for disaster recovery.

Description

Creates an encrypted backup of the SQL Server Service Master Key (SMK), which sits at the top of SQL Server's encryption hierarchy. The Service Master Key encrypts Database Master Keys and certificates, making its backup critical for disaster recovery scenarios where encrypted databases need to be restored or moved between servers. The backup file is password-protected and can be stored in the default backup directory or a custom location. This prevents the need to manually recreate encryption keys and certificates when rebuilding servers or migrating encrypted databases.

Syntax

Backup-DbaServiceMasterKey
    [-SqlInstance] <DbaInstanceParameter[]>
    [[-SqlCredential] <PSCredential>]
    [[-KeyCredential] <PSCredential>]
    [[-SecurePassword] <SecureString>]
    [[-Path] <String>]
    [[-FileBaseName] <String>]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Backup-DbaServiceMasterKey -SqlInstance server1\sql2016
>> ComputerName : SERVER1
>> InstanceName : SQL2016
>> SqlInstance  : SERVER1\SQL2016
>> Filename     : E:\MSSQL13.SQL2016\MSSQL\Backup\server1$sql2016-SMK-20170614162311.key
>> Status       : Success

Prompts for export password, then logs into server1\sql2016 with Windows credentials then backs up the service master key to the default backup directory.

Example: 2

PS C:\> Backup-DbaServiceMasterKey -SqlInstance Server1 -Path \\nas\sqlbackups\keys

Logs into sql2016 with Windows credentials then backs up the service master key to the \nas\sqlbackups\keys directory.

Required Parameters

-SqlInstance

The target SQL Server instance or instances.

Optional Parameters

-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

-KeyCredential

Provides an alternative way to pass the encryption password using a PowerShell credential object.
Use this when you need to automate the backup process without interactive password prompts or when integrating with credential management systems.

-SecurePassword

Sets the password used to encrypt the Service Master Key backup file. Must be provided as a SecureString object for security.
If not specified, you'll be prompted to enter the password interactively. Store this password securely as it's required to restore the Service Master Key during disaster recovery.

-Path

Specifies the directory where the Service Master Key backup file will be created. Defaults to the SQL Server instance's configured backup directory if not specified.
Use this when you need to store the backup in a specific location for compliance, network storage, or organizational requirements.

-FileBaseName

Overrides the default naming convention to use a custom base name for the backup file. The system automatically appends ".key" to whatever name you provide.
Use this when you need predictable file names for automation scripts or when following specific naming standards in your environment.

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

-WhatIf

Shows what would happen if the command were to run. No actions are actually performed.

-Confirm

Prompts you for confirmation before executing any changing operations within the command.