commands

^

Get-DbaDbEncryption

Author Stephen Bennett, sqlnotesfromtheunderground.wordpress.com
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out Get-DbaDbEncryption on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaDbEncryption.

Synopsis

Retrieves comprehensive encryption inventory from SQL Server databases including TDE status, certificates, and keys.

Description

Audits database-level encryption across SQL Server instances by examining TDE encryption status, certificates, asymmetric keys, and symmetric keys within each database. Returns detailed information including key algorithms, lengths, owners, backup dates, and expiration dates for compliance reporting and security assessments. Particularly useful for encryption audits, certificate lifecycle management, and ensuring regulatory compliance across your SQL Server environment.

Syntax

Get-DbaDbEncryption
    [-SqlInstance] <DbaInstanceParameter[]>
    [[-SqlCredential] <PSCredential>]
    [[-Database] <Object[]>]
    [[-ExcludeDatabase] <Object[]>]
    [-IncludeSystemDBs]
    [-EnableException]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01

List all encryption found on the instance by database

Example: 2
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -Database MyDB

List all encryption found for the MyDB database.

Example: 3
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -ExcludeDatabase MyDB

List all encryption found for all databases except MyDB.

Example: 4
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -IncludeSystemDBs

List all encryption found for all databases including the system databases.

Required Parameters

-SqlInstance

The target SQL Server instance or instances. This can be a collection and receive pipeline input.

Alias
Required True
Pipeline true (ByValue)
Default Value

Optional Parameters

-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

Alias
Required False
Pipeline false
Default Value
-Database

Specifies which databases to examine for encryption objects including TDE, certificates, and keys. Accepts database names as strings or arrays.
Use this to focus encryption audits on specific databases rather than scanning all user databases on the instance.

Alias
Required False
Pipeline false
Default Value
-ExcludeDatabase

Excludes specific databases from the encryption inventory scan. Useful when you need to audit most databases but skip certain ones.
Commonly used to exclude databases with known encryption issues or maintenance databases that don't require encryption compliance checks.

Alias
Required False
Pipeline false
Default Value
-IncludeSystemDBs

Includes system databases (master, model, msdb, tempdb) in the encryption inventory. By default, only user databases are scanned.
Use this when conducting comprehensive security audits that require visibility into system database encryption objects and TDE configurations.

Alias
Required False
Pipeline false
Default Value False
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False