| Author | Chrissy LeMaire (@cl), netnerds.net |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Get-DbaDbEncryptionKey on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaDbEncryptionKey.
Retrieves Transparent Data Encryption (TDE) database encryption keys from SQL Server databases
Retrieves detailed information about Transparent Data Encryption (TDE) database encryption keys including encryption state, algorithm, and certificate details. This function helps DBAs audit encrypted databases, verify TDE configuration, and gather key information for compliance reporting or troubleshooting encryption issues. Returns comprehensive key properties like thumbprint, encryption type, and important dates for certificate rotation planning.
Get-DbaDbEncryptionKey
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Database] <String[]>]
[[-ExcludeDatabase] <String[]>]
[[-InputObject] <Database[]>]
[-EnableException]
[<CommonParameters>]
PS C:\> Get-DbaDbEncryptionKey -SqlInstance sql2016
Gets all encryption keys from sql2016
PS C:\> Get-DbaDbEncryptionKey -SqlInstance sql01 -Database db1
Gets the encryption key for the db1 database on the sql01 instance
PS C:\> Get-DbaDbEncryptionKey -SqlInstance sql01 -Database db1 -Certificate cert1
Gets the cert1 encryption key within the db1 database
PS C:\> Get-DbaDbEncryptionKey -SqlInstance sql01 -Database db1 -Subject 'Availability Group Cert'
Gets the encryption key within the db1 database that has the subject 'Availability Group Cert' on sql01
The target SQL Server instance
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which databases to retrieve TDE encryption keys from. Accepts wildcards for pattern matching.
Use this when you need to check encryption status for specific databases instead of all databases on the instance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Excludes specific databases from the encryption key retrieval operation. Useful when scanning all databases except certain ones like system databases or test databases.
Commonly used to skip tempdb or databases that are known to be unencrypted.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Accepts database objects piped from Get-DbaDatabase or other dbatools commands. This allows you to filter databases using Get-DbaDatabase's extensive filtering options before checking encryption keys.
Particularly useful for complex database selection scenarios or when working with specific database collections.
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |