Move a TDE Protected Database to Another SQL Server

Create a database master key and certificate in the master database. For more information, see Using Transact-SQL below.

Create a backup of the server certificate in the master database. For more information, see Using Transact-SQL below.

In Object Explorer, right-click the Databases folder and select New Database.

In the New Database dialog box, in the Database name box, enter the name of the new database.

In the Owner box, enter the name of the new database's owner. Alternately, click the ellipsis (…) to open the Select Database Owner dialog box. For more information on creating a new database, see Create a Database.

In Object Explorer, click the plus sign to expand the Databases folder.

Right-click the database you created, point to Tasks, and select Manage Database Encryption.

The following options are available on the Manage Database Encryption dialog box.

Encryption Algorithm

Displays or sets the algorithm to use for database encryption. AES128 is the default algorithm. This field cannot be blank. For more information on encryption algorithms, see Choose an Encryption Algorithm.

Use server certificate

Sets the encryption to be secured by a certificate. Select one from the list. If you do not have the VIEW DEFINITION permission on server certificates, this list will be empty. If a certificate method of encryption is selected, this value cannot be empty. For more information about certificates, see SQL Server Certificates and Asymmetric Keys.

Use server asymmetric key

Sets the encryption to be secured by an asymmetric key. Only available asymmetric keys are displayed. Only an asymmetric key protected by an EKM module can encrypt a database using TDE.

Set Database Encryption On

Alters the database to turn on (checked) or turn off (unchecked) TDE.

When finished, click OK.

In Object Explorer, connect to an instance of Database Engine.

On the Standard bar, click New Query.

Copy and paste the following example into the query window and click Execute.

-- Create a database master key and a certificate in the master database.
USE master ;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '*rt@40(FL&dasl1';
GO
CREATE CERTIFICATE TestSQLServerCert 
WITH SUBJECT = 'Certificate to protect TDE key'
GO
-- Create a backup of the server certificate in the master database.
-- The following code stores the backup of the certificate and the private key file in the default data location for this instance of SQL Server 
-- (C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA).

BACKUP CERTIFICATE TestSQLServerCert 
TO FILE = 'TestSQLServerCert'
WITH PRIVATE KEY 
(
    FILE = 'SQLPrivateKeyFile',
    ENCRYPTION BY PASSWORD = '*rt@40(FL&dasl1'
);
GO
-- Create a database to be protected by TDE.
CREATE DATABASE CustRecords ;
GO
-- Switch to the new database.
-- Create a database encryption key, that is protected by the server certificate in the master database. 
-- Alter the new database to encrypt the database using TDE.
USE CustRecords;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE TestSQLServerCert;
GO
ALTER DATABASE CustRecords
SET ENCRYPTION ON;
GO

In Object Explorer, right-click the database you encrypted above, point to Tasks and select Detach….

The following options are available in the Detach Database dialog box.

Databases to detach

Lists the databases to detach.

Database Name

Displays the name of the database to be detached.

Drop Connections

Disconnect connections to the specified database.

Note
You cannot detach a database with active connections.

Update Statistics

By default, the detach operation retains any out-of-date optimization statistics when detaching the database; to update the existing optimization statistics, click this check box.

Keep Full-Text Catalogs

By default, the detach operation keeps any full-text catalogs that are associated with the database. To remove them, clear the Keep Full-Text Catalogs check box. This option appears only when you are upgrading a database from SQL Server 2005.

Status

Displays one of the following states: Ready or Not ready.

Message

The Message column may display information about the database, as follows:

• When a database is involved with replication, the Status is Not ready and the Message column displays Database replicated.

• When a database has one or more active connections, the Status is Not ready and the Message column displays <number_of_active_connections> Active connection(s) — for example: 1 Active connection(s). Before you can detach the database, you need to disconnect any active connections by selecting Drop Connections.

To obtain more information about a message, click the hyperlinked text to open Activity Monitor.

Click OK.

Using Windows Explorer, move or copy the database files from the source server to the same location on the destination server.

Using Windows Explorer, move or copy the backup of the server certificate and the private key file from the source server to the same location on the destination server.

Create a database master key on the destination instance of SQL Server. For more information, see Using Transact-SQL below.

Recreate the server certificate by using the original server certificate backup file. For more information, see Using Transact-SQL below.

In Object Explorer in SQL Server Management Studio, right-click the Databases folder and select Attach….

In the Attach Databases dialog box, under Databases to attach, click Add.

In the Locate Database Files – server_name dialog box, select the database file to attach to the new server and click OK.

The following options are available in the Attach Databases dialog box.

Databases to attach

Displays information about the selected databases.

<no column header>

Displays an icon indicating the status of the attach operation. The possible icons are described in the Status description, below).

MDF File Location

Displays the path and file name of the selected MDF file.

Database Name

Displays the name of the database.

Attach As

Optionally, specifies a different name for the database to attach as.

Owner

Provides a drop-down list of possible database owners from which you can optionally select a different owner.

Status

Displays the status of the database according to the following table.

Icon	Status text	Description
(No icon)	(No text)	Attach operation has not been started or may be pending for this object. This is the default when the dialog is opened.
Green, right-pointing triangle	In progress	Attach operation has been started but it is not complete.
Green check mark	Success	The object has been attached successfully.
Red circle containing a white cross	Error	Attach operation encountered an error and did not complete successfully.
Circle containing two black quadrants (on left and right) and two white quadrants (on top and bottom)	Stopped	Attach operation was not completed successfully because the user stopped the operation.
Circle containing a curved arrow pointing counter-clockwise	Rolled Back	Attach operation was successful but it has been rolled back due to an error during attachment of another object.

Message

Displays either a blank message or a "File not found" hyperlink.

Add

Find the necessary main database files. When the user selects an .mdf file, applicable information is automatically filled in the respective fields of the Databases to attach grid.

Remove

Removes the selected file from the Databases to attach grid.

" <database_name> " database details

Displays the names of the files to be attached. To verify or change the pathname of a file, click the Browse button (…).

Note
If a file does not exist, the Message column displays "Not found." If a log file is not found, it exists in another directory or has been deleted. You need to either update the file path in the database details grid to point to the correct location or remove the log file from the grid. If an .ndf data file is not found, you need to update its path in the grid to point to the correct location.

Original File Name

Displays the name of the attached file belonging to the database.

File Type

Indicates the type of file, Data or Log.

Current File Path

Displays the path to the selected database file. The path can be edited manually.

Message

Displays either a blank message or a "File not found" hyperlink.

In Object Explorer, connect to an instance of Database Engine.

On the Standard bar, click New Query.

Copy and paste the following example into the query window and click Execute.

-- Detach the TDE protected database from the source server. 
USE master ;
GO
EXEC master.dbo.sp_detach_db @dbname = N'CustRecords';
GO
-- Move or copy the database files from the source server to the same location on the destination server. 
-- Move or copy the backup of the server certificate and the private key file from the source server to the same location on the destination server. 
-- Create a database master key on the destination instance of SQL Server. 
USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '*rt@40(FL&dasl1';
GO
-- Recreate the server certificate by using the original server certificate backup file. 
-- The password must be the same as the password that was used when the backup was created.

CREATE CERTIFICATE TestSQLServerCert 
FROM FILE = 'TestSQLServerCert'
WITH PRIVATE KEY 
(
    FILE = 'SQLPrivateKeyFile',
    DECRYPTION BY PASSWORD = '*rt@40(FL&dasl1'
);
GO
-- Attach the database that is being moved. 
-- The path of the database files must be the location where you have stored the database files.
CREATE DATABASE [CustRecords] ON 
( FILENAME = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\CustRecords.mdf' ),
( FILENAME = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\CustRecords_log.LDF' )
FOR ATTACH ;
GO