| title | description | author | ms.author | ms.date | ms.service | ms.subservice | ms.topic | f1_keywords | helpviewer_keywords | dev_langs | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
BACKUP MASTER KEY (Transact-SQL) |
BACKUP MASTER KEY (Transact-SQL) |
VanMSFT |
vanto |
05/24/2022 |
sql |
t-sql |
reference |
|
|
|
[!INCLUDE SQL Server]
Exports the database master key.
Important
[!INCLUDE sssql22-md] introduces backup and restore support for the database master key to and from an Azure Blob storage. The URL syntax is only available for [!INCLUDE sssql22-md] and later.
:::image type="icon" source="../../includes/media/topic-link-icon.svg" border="false"::: Transact-SQL syntax conventions
BACKUP MASTER KEY TO
{
FILE = 'path_to_file'
| URL = 'Azure Blob storage URL'
}
ENCRYPTION BY PASSWORD = 'password'
FILE ='path_to_file'
Specifies the complete path, including file name, to the file to which the master key will be exported. The path may be a local path or a UNC path to a network location.
URL ='Azure Blob storage URL'
Applies to: [!INCLUDE sssql22-md] and later
Is the URL for your Azure Blob storage, in the format similar to https://<storage_account_name>.blob.core.windows.net/<storage_container_name>/<backup_file_name>.bak.
ENCRYPTION BY PASSWORD ='password'
Is the password used to encrypt the master key in the file. This password is subject to complexity checks. For more information, see Password Policy.
The master key must be open and, therefore, decrypted before it's backed up. If it's encrypted with the service master key, the master key doesn't have to be explicitly opened. But if the master key is encrypted only with a password, it must be explicitly opened.
Back up the master key as soon as it's created, and store the backup in a secure, off-site location.
Applies to: [!INCLUDE sssql22-md] and later.
To back up the database master key to an Azure Blob storage, the following prerequisites apply:
-
Have an Azure storage account.
-
Create a SQL Server credential using a shared access signature.
For more information, see Tutorial: Use Azure Blob Storage with SQL Server.
Requires CONTROL permission on the database.
The following example creates a backup of the [!INCLUDE sssampledbobject-md] master key to a file. Because this master key isn't encrypted by the service master key, a password must be specified when it's opened.
USE AdventureWorks2022;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'sfj5300osdVdgwdfkli7';
BACKUP MASTER KEY TO FILE = 'c:\temp\AdventureWorks2022_master_key'
ENCRYPTION BY PASSWORD = 'sd092735kjn$&adsg';
GO The following example creates a backup of the [!INCLUDE sssampledbobject-md] master key to an Azure Blob storage. Because this master key isn't encrypted by the service master key, a password must be specified when it's opened.
USE AdventureWorks2022;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'sfj5300osdVdgwdfkli7';
BACKUP MASTER KEY TO URL = 'https://mydocsteststorage.blob.core.windows.net/mytestcontainer/AdventureWorks2022_master_key.bak'
ENCRYPTION BY PASSWORD = 'sd092735kjn$&adsg';
GO CREATE MASTER KEY (Transact-SQL)
OPEN MASTER KEY (Transact-SQL)
CLOSE MASTER KEY (Transact-SQL)
RESTORE MASTER KEY (Transact-SQL)
ALTER MASTER KEY (Transact-SQL)
DROP MASTER KEY (Transact-SQL)
Encryption Hierarchy
BACKUP SYMMETRIC KEY