BACKUP MASTER KEY (Transact-SQL)

Applies to: SQL Server

Exports the database master key.

Important

SQL Server 2022 (16.x) introduces backup and restore support for the database master key to and from an Azure Blob storage. The URL syntax is only available for SQL Server 2022 (16.x) and later.

Transact-SQL syntax conventions

Syntax

BACKUP MASTER KEY TO 
  {
    FILE = 'path_to_file'
  | URL = 'Azure Blob storage URL'
  }   
    ENCRYPTION BY PASSWORD = 'password'  

Note

To view Transact-SQL syntax for SQL Server 2014 (12.x) and earlier versions, see Previous versions documentation.

Arguments

FILE ='path_to_file'
Specifies the complete path, including file name, to the file to which the master key will be exported. The path may be a local path or a UNC path to a network location.

URL ='Azure Blob storage URL'
Applies to: SQL Server 2022 (16.x) and later
Is the URL for your Azure Blob storage, in the format similar to https://<storage_account_name>.blob.core.windows.net/<storage_container_name>/<backup_file_name>.bak.

ENCRYPTION BY PASSWORD ='password'
Is the password used to encrypt the master key in the file. This password is subject to complexity checks. For more information, see Password Policy.

Remarks

The master key must be open and, therefore, decrypted before it's backed up. If it's encrypted with the service master key, the master key doesn't have to be explicitly opened. But if the master key is encrypted only with a password, it must be explicitly opened.

Back up the master key as soon as it's created, and store the backup in a secure, off-site location.

Authenticate to Azure Blob storage

Applies to: SQL Server 2022 (16.x) and later.

To back up the database master key to an Azure Blob storage, the following prerequisites apply:

  1. Have an Azure storage account.

  2. Create stored access policy and shared access storage.

  3. Create a SQL Server credential using a shared access signature.

    For more information, see Tutorial: Use Azure Blob Storage with SQL Server.

Permissions

Requires CONTROL permission on the database.

Examples

The following example creates a backup of the AdventureWorks2022 master key to a file. Because this master key isn't encrypted by the service master key, a password must be specified when it's opened.

USE AdventureWorks2022;  
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'sfj5300osdVdgwdfkli7';  
BACKUP MASTER KEY TO FILE = 'c:\temp\AdventureWorks2022_master_key'   
    ENCRYPTION BY PASSWORD = 'sd092735kjn$&adsg';  
GO   

The following example creates a backup of the AdventureWorks2022 master key to an Azure Blob storage. Because this master key isn't encrypted by the service master key, a password must be specified when it's opened.

USE AdventureWorks2022;  
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'sfj5300osdVdgwdfkli7';  
BACKUP MASTER KEY TO URL = 'https://mydocsteststorage.blob.core.windows.net/mytestcontainer/AdventureWorks2022_master_key.bak'  
    ENCRYPTION BY PASSWORD = 'sd092735kjn$&adsg';  
GO   

See also

CREATE MASTER KEY (Transact-SQL)
OPEN MASTER KEY (Transact-SQL)
CLOSE MASTER KEY (Transact-SQL)
RESTORE MASTER KEY (Transact-SQL)
ALTER MASTER KEY (Transact-SQL)
DROP MASTER KEY (Transact-SQL)
Encryption Hierarchy
BACKUP SYMMETRIC KEY