commands

^

New-DbaDbEncryptionKey

Author Chrissy LeMaire (@cl), netnerds.net
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out New-DbaDbEncryptionKey on GitHub.
Want to see the Bill Of Health for this command? Check out New-DbaDbEncryptionKey.

Synopsis

Creates database encryption keys for Transparent Data Encryption (TDE)

Description

Creates database encryption keys (DEKs) required for Transparent Data Encryption, using certificates or asymmetric keys from the master database. This is the essential first step before enabling TDE on any database to encrypt data at rest. The function automatically validates that certificates have been backed up before creating encryption keys, preventing potential data loss scenarios. If no encryptor is specified, it will automatically select an appropriate certificate or asymmetric key from master database.

Syntax

New-DbaDbEncryptionKey
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-SqlCredential] <PSCredential>]
    [[-Database] <String[]>]
    [[-EncryptorName] <String>]
    [[-Type] <String>]
    [[-EncryptionAlgorithm] <String>]
    [[-InputObject] <Database[]>]
    [-Force]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> $dbs = Get-DbaDatabase -SqlInstance sql01 -Database pubs
PS C:\> $db | New-DbaDbEncryptionKey

Creates an Aes256 encryption key for the pubs database on sql01. Automatically selects a cert database in master if one (and only one) non-system certificate exists.
Prompts for confirmation.

Example: 2
PS C:\> New-DbaDbEncryptionKey -SqlInstance sql01 -Database db1 -EncryptorName "sql01 cert" -EncryptionAlgorithm Aes192 -Confirm:$false

Creates an Aes192 encryption key for the pubs database on sql01 using the certiciated named "sql01 cert" in master.
Does not prompt for confirmation.

Optional Parameters

-SqlInstance

The target SQL Server instance or instances.

Alias
Required False
Pipeline false
Default Value
-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

Alias
Required False
Pipeline false
Default Value
-Database

Specifies the database where the encryption key will be created to enable Transparent Data Encryption.
This is the user database you want to encrypt, not the master database where certificates are stored.

Alias
Required False
Pipeline false
Default Value master
-EncryptorName

Specifies the name of the certificate or asymmetric key in the master database to encrypt the database encryption key.
If not provided, the function automatically selects an appropriate certificate from master (requires exactly one non-system certificate to exist).
For asymmetric keys, the key must reside on an extensible key management provider like Azure Key Vault or Hardware Security Module.

Alias Certificate,CertificateName
Required False
Pipeline false
Default Value
-Type

Specifies whether to use a Certificate or AsymmetricKey from the master database as the encryptor.
Certificates are more common for TDE implementations, while asymmetric keys are typically used with external key management providers.

Alias
Required False
Pipeline false
Default Value Certificate
Accepted Values Certificate,AsymmetricKey
-EncryptionAlgorithm

Specifies the symmetric encryption algorithm used for the database encryption key.
Aes256 provides the strongest encryption and is recommended for production environments, while Aes128 offers faster performance.
TripleDes is legacy and should be avoided for new implementations.

Alias
Required False
Pipeline false
Default Value Aes256
Accepted Values Aes128,Aes192,Aes256,TripleDes
-InputObject

Accepts database objects from Get-DbaDatabase to create encryption keys for multiple databases.
Use this when you need to enable TDE on several databases across one or more SQL Server instances.

Alias
Required False
Pipeline true (ByValue)
Default Value
-Force

Bypasses the safety check that prevents creating encryption keys with unbackup certificates, which could lead to unrecoverable data loss.
Also creates the specified certificate automatically if it doesn't exist in the master database.
Use this only in development environments or when you have verified certificate backups exist through other means.

Alias
Required False
Pipeline false
Default Value False
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False
-WhatIf

Shows what would happen if the command were to run. No actions are actually performed.

Alias wi
Required False
Pipeline false
Default Value
-Confirm

Prompts you for confirmation before executing any changing operations within the command.

Alias cf
Required False
Pipeline false
Default Value