| Author | Chrissy LeMaire (@cl), netnerds.net |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Get-DbaDbMasterKey on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaDbMasterKey.
Retrieves database master key information from SQL Server databases
Retrieves database master key objects and their metadata from one or more SQL Server databases. Database master keys are used to encrypt sensitive data through features like Transparent Data Encryption (TDE), column-level encryption, and certificate-based encryption. This function helps DBAs inventory encryption keys across their environment for security audits, compliance reporting, and encryption management. Returns key details including creation date, last modified date, and server encryption status.
Get-DbaDbMasterKey
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Database] <String[]>]
[[-ExcludeDatabase] <String[]>]
[[-InputObject] <Database[]>]
[-EnableException]
[<CommonParameters>]
PS C:\> Get-DbaDbMasterKey -SqlInstance sql2016
Gets all master database keys
PS C:\> Get-DbaDbMasterKey -SqlInstance Server1 -Database db1
Gets the master key for the db1 database
The target SQL Server instance
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which databases to check for database master keys. Accepts wildcards for pattern matching.
Use this when you need to audit encryption keys for specific databases instead of scanning all databases on the instance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies databases to skip when checking for master keys. Accepts wildcards for pattern matching.
Use this to exclude system databases or databases you know don't use encryption features during security audits.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Accepts database objects from Get-DbaDatabase through the pipeline for master key analysis.
Use this when you need to check master keys for databases that match specific criteria like compatibility level or size.
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |