commands

^

Get-DbaDbEncryptionKey

Author Chrissy LeMaire (@cl), netnerds.net
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out Get-DbaDbEncryptionKey on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaDbEncryptionKey.

Synopsis

Retrieves Transparent Data Encryption (TDE) database encryption keys from SQL Server databases

Description

Retrieves detailed information about Transparent Data Encryption (TDE) database encryption keys including encryption state, algorithm, and certificate details. This function helps DBAs audit encrypted databases, verify TDE configuration, and gather key information for compliance reporting or troubleshooting encryption issues. Returns comprehensive key properties like thumbprint, encryption type, and important dates for certificate rotation planning.

Syntax

Get-DbaDbEncryptionKey
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-SqlCredential] <PSCredential>]
    [[-Database] <String[]>]
    [[-ExcludeDatabase] <String[]>]
    [[-InputObject] <Database[]>]
    [-EnableException]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> Get-DbaDbEncryptionKey -SqlInstance sql2016

Gets all encryption keys from sql2016

Example: 2
PS C:\> Get-DbaDbEncryptionKey -SqlInstance sql01 -Database db1

Gets the encryption key for the db1 database on the sql01 instance

Example: 3
PS C:\> Get-DbaDbEncryptionKey -SqlInstance sql01 -Database db1 -Certificate cert1

Gets the cert1 encryption key within the db1 database

Example: 4
PS C:\> Get-DbaDbEncryptionKey -SqlInstance sql01 -Database db1 -Subject 'Availability Group Cert'

Gets the encryption key within the db1 database that has the subject 'Availability Group Cert' on sql01

Optional Parameters

-SqlInstance

The target SQL Server instance

Alias
Required False
Pipeline false
Default Value
-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

Alias
Required False
Pipeline false
Default Value
-Database

Specifies which databases to retrieve TDE encryption keys from. Accepts wildcards for pattern matching.
Use this when you need to check encryption status for specific databases instead of all databases on the instance.

Alias
Required False
Pipeline false
Default Value
-ExcludeDatabase

Excludes specific databases from the encryption key retrieval operation. Useful when scanning all databases except certain ones like system databases or test databases.
Commonly used to skip tempdb or databases that are known to be unencrypted.

Alias
Required False
Pipeline false
Default Value
-InputObject

Accepts database objects piped from Get-DbaDatabase or other dbatools commands. This allows you to filter databases using Get-DbaDatabase's extensive filtering options before checking encryption keys.
Particularly useful for complex database selection scenarios or when working with specific database collections.

Alias
Required False
Pipeline true (ByValue)
Default Value
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False