| Author | Stephen Bennett, sqlnotesfromtheunderground.wordpress.com |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Get-DbaDbEncryption on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaDbEncryption.
Retrieves comprehensive encryption inventory from SQL Server databases including TDE status, certificates, and keys.
Audits database-level encryption across SQL Server instances by examining TDE encryption status, certificates, asymmetric keys, and symmetric keys within each database. Returns detailed information including key algorithms, lengths, owners, backup dates, and expiration dates for compliance reporting and security assessments. Particularly useful for encryption audits, certificate lifecycle management, and ensuring regulatory compliance across your SQL Server environment.
Get-DbaDbEncryption
[-SqlInstance] <DbaInstanceParameter[]>
[[-SqlCredential] <PSCredential>]
[[-Database] <Object[]>]
[[-ExcludeDatabase] <Object[]>]
[-IncludeSystemDBs]
[-EnableException]
[<CommonParameters>]
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01
List all encryption found on the instance by database
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -Database MyDB
List all encryption found for the MyDB database.
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -ExcludeDatabase MyDB
List all encryption found for all databases except MyDB.
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -IncludeSystemDBs
List all encryption found for all databases including the system databases.
The target SQL Server instance or instances. This can be a collection and receive pipeline input.
| Alias | |
| Required | True |
| Pipeline | true (ByValue) |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which databases to examine for encryption objects including TDE, certificates, and keys. Accepts database names as strings or arrays.
Use this to focus encryption audits on specific databases rather than scanning all user databases on the instance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Excludes specific databases from the encryption inventory scan. Useful when you need to audit most databases but skip certain ones.
Commonly used to exclude databases with known encryption issues or maintenance databases that don't require encryption compliance checks.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Includes system databases (master, model, msdb, tempdb) in the encryption inventory. By default, only user databases are scanned.
Use this when conducting comprehensive security audits that require visibility into system database encryption objects and TDE configurations.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |