commands

^

New-DbaDbEncryptionKey

Author Chrissy LeMaire (@cl), netnerds.net
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out New-DbaDbEncryptionKey on GitHub.
Want to see the Bill Of Health for this command? Check out New-DbaDbEncryptionKey.

Synopsis

Creates a new database encryption key that is encrypted by the instance certificate

Description

Creates a new database encryption key. If no database is specified, the encryption key will be created in master.

In order to encrypt the database encryption key with an asymmetric key, you must use an asymmetric key that resides on an extensible key management provider.

Syntax

New-DbaDbEncryptionKey
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-SqlCredential] <PSCredential>]
    [[-Database] <String[]>]
    [[-EncryptorName] <String>]
    [[-Type] <String>]
    [[-EncryptionAlgorithm] <String>]
    [[-InputObject] <Database[]>]
    [-Force]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> $dbs = Get-DbaDatabase -SqlInstance sql01 -Database pubs
PS C:\> $db | New-DbaDbEncryptionKey

Creates an Aes256 encryption key for the pubs database on sql01. Automatically selects a cert database in master if one (and only one) non-system certificate exists.
Prompts for confirmation.

Example: 2
PS C:\> New-DbaDbEncryptionKey -SqlInstance sql01 -Database db1 -EncryptorName "sql01 cert" -EncryptionAlgorithm Aes192 -Confirm:$false

Creates an Aes192 encryption key for the pubs database on sql01 using the certiciated named "sql01 cert" in master.
Does not prompt for confirmation.

Optional Parameters

-SqlInstance

The target SQL Server instance or instances.

Alias
Required False
Pipeline false
Default Value
-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

Alias
Required False
Pipeline false
Default Value
-Database

The database where the encryption key will be created. Defaults to master.

Alias
Required False
Pipeline false
Default Value master
-EncryptorName

The name of the encryptor (Certificate or Asymmetric Key) in master that will be used. Tries to find one if one is not specified.
In order to encrypt the database encryption key with an asymmetric key, you must use an asymmetric key that resides on an extensible key management provider.

Alias Certificate,CertificateName
Required False
Pipeline false
Default Value
-Type

Specifies an encryption type of Certificate or Asymmetric Key. Defaults to Certificate.

Alias
Required False
Pipeline false
Default Value Certificate
Accepted Values Certificate,AsymmetricKey
-EncryptionAlgorithm

Specifies an encryption algorithm. Defaults to Aes256.
Options are: "Aes128", "Aes192", "Aes256", "TripleDes"

Alias
Required False
Pipeline false
Default Value Aes256
Accepted Values Aes128,Aes192,Aes256,TripleDes
-InputObject

Enables piping from Get-DbaDatabase

Alias
Required False
Pipeline true (ByValue)
Default Value
-Force

When a certificate encryptor is used, this command will refuse to create an encryption key for a certificate that has not been backed up
Use Force to create an encryption key even though the specified cert has not been backed up
Also, if EncryptorName is specified and the certificate does not exist, it will be created when Force is specified

Alias
Required False
Pipeline false
Default Value False
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False
-WhatIf

Shows what would happen if the command were to run. No actions are actually performed.

Alias wi
Required False
Pipeline false
Default Value
-Confirm

Prompts you for confirmation before executing any changing operations within the command.

Alias cf
Required False
Pipeline false
Default Value