How to: Back Up the Service Master Key

The service master key is the root of the encryption hierarchy in SQL Server. It should be backed up and stored in a secure, off-site location. Creating this backup should be one of the first administrative actions performed on the server.

To back up the service master key

  1. In SQL Server Management Studio, connect to the SQL Server instance containing the service master key you wish to back up.

  2. Choose a password that will be used to encrypt the service master key on the backup medium. This password is subject to complexity checks. For more information, see Password Policy.

  3. Obtain a removable backup medium for storing a copy of the backed-up key.

  4. Identify an NTFS directory in which to create the backup of the key. This is where you will create the file specified in the next step. The directory should be protected with highly restrictive ACLs.

  5. In Query Editor, execute the following Transact-SQL command: BACKUP SERVICE MASTER KEY TO FILE = '<complete path and filename>' ENCRYPTION BY PASSWORD = '<password>' ; GO 

  6. Copy the file to the backup medium and verify the copy.

  7. Store the backup in a secure, off-site location.

Security noteSecurity Note

It is usually best to create multiple copies of the backup, and to store one copy locally. The local copy can be the file you created when you backed up the service master key.