Backup those Keys

I’m working on a Policy that will expose a particularly thorny issue. In SQL Server 2008, you can use a new feature called Transparent Data Encryption (TDE). This feature encrypts the entire database, so you don’t have to change your application at all. If anyone were to steal the database, they couldn’t read it.

The issue shows up with the way you encrypt the database. You can encrypt it with a key, or with a certificate. If you lose that certificate, you’ll never be able to restore the database somewhere else. Never. Microsoft does not have a "back door" we can use or anything like that. So it’s super-important that you back up the certificate used to encrypt the database.

I’ll post the results of my testing shortly – but for now, if you’re using TDE or any other encryption, make sure you back up those keys and certificates somewhere, and make sure your organization has a way to notify the proper people if you’re not on the scene to restore them.