| Author | Stuart Moore (@napalmgram), stuart-moore.com |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Get-DbaDbAsymmetricKey on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaDbAsymmetricKey.
Retrieves asymmetric keys from SQL Server databases for encryption management and security auditing
Retrieves asymmetric keys stored in SQL Server databases, including their encryption algorithms, key lengths, owners, and thumbprints.
This function is essential for security audits and encryption key management, allowing DBAs to inventory all asymmetric keys across databases without manually querying system catalogs.
Asymmetric keys are used for encryption, digital signatures, and certificate creation in SQL Server's transparent data encryption and column-level encryption features.
Returns detailed key properties to help with compliance reporting and security assessments.
Get-DbaDbAsymmetricKey
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Database] <String[]>]
[[-ExcludeDatabase] <String[]>]
[[-Name] <String[]>]
[[-InputObject] <Database[]>]
[-EnableException]
[<CommonParameters>]
PS C:\> Get-DbaDbAsymmetricKey -SqlInstance sql2016
Gets all Asymmetric Keys
PS C:\> Get-DbaDbAsymmetricKey -SqlInstance Server1 -Database db1
Gets the Asymmetric Keys for the db1 database
PS C:\> Get-DbaDbAsymmetricKey -SqlInstance Server1 -Database db1 -Name key1
Gets the key1 Asymmetric Key within the db1 database
The target SQL Server instance
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which databases to scan for asymmetric keys. Accepts wildcards for pattern matching.
Use this when you need to audit encryption keys in specific databases instead of scanning all databases on the instance.
Essential for targeted security assessments or compliance audits of particular applications.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Excludes specific databases from the asymmetric key scan. Accepts wildcards for pattern matching.
Use this to skip system databases, test databases, or databases known to not contain encryption keys.
Helps focus audits on production databases and reduces noise in security assessments.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Filters results to asymmetric keys with specific names. Accepts wildcards and multiple key names.
Use this when tracking specific keys during key rotation, compliance audits, or troubleshooting encryption issues.
Common when validating that required encryption keys exist across multiple databases.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Accepts database objects from the pipeline, typically from Get-DbaDatabase.
Use this to chain database filtering with key retrieval, such as getting keys from databases with specific properties.
Enables advanced filtering scenarios like scanning only databases created after a certain date or with particular owners.
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |