| Author | Chrissy LeMaire (@cl), netnerds.net |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Remove-DbaDbMasterKey on GitHub.
Want to see the Bill Of Health for this command? Check out Remove-DbaDbMasterKey.
Removes database master keys from SQL Server databases
Removes database master keys from specified SQL Server databases by executing DROP MASTER KEY. Database master keys are used to encrypt other database-level encryption keys, including those for Transparent Data Encryption (TDE), Always Encrypted, and certificate private keys. This function is typically used when decommissioning database encryption, migrating to different encryption strategies, or cleaning up unused encryption infrastructure during database maintenance or compliance changes.
Remove-DbaDbMasterKey
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Database] <String[]>]
[[-ExcludeDatabase] <String[]>]
[-All]
[[-InputObject] <MasterKey[]>]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> Remove-DbaDbMasterKey -SqlInstance sql2017, sql2016 -Database pubs
The master key in the pubs database on sql2017 and sql2016 will be removed if it exists.
PS C:\> Remove-DbaDbMasterKey -SqlInstance sql2017 -Database db1 -Confirm:$false
Suppresses all prompts to remove the master key in the 'db1' database and drops the key.
PS C:\> Get-DbaDbMasterKey -SqlInstance sql2017 -Database db1 | Remove-DbaDbMasterKey -Confirm:$false
Suppresses all prompts to remove the master key in the 'db1' database and drops the key.
The target SQL Server instance or instances.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which databases to remove master keys from. Accepts multiple database names.
Use this when you need to remove encryption from specific databases during TDE decommissioning or security policy changes.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies databases to skip when using the -All parameter to remove master keys from all databases.
Use this to protect critical databases that must retain their encryption while cleaning up master keys from other databases on the instance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Removes master keys from all user databases on the SQL Server instance.
Use this when decommissioning encryption across an entire instance or during major security architecture changes.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Accepts master key objects from Get-DbaDbMasterKey through the pipeline.
Use this approach when you need to filter or inspect master keys before removing them, providing more control over the removal process.
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Shows what would happen if the command were to run. No actions are actually performed.
| Alias | wi |
| Required | False |
| Pipeline | false |
| Default Value |
Prompts you for confirmation before executing any changing operations within the command.
| Alias | cf |
| Required | False |
| Pipeline | false |
| Default Value |