Azure managed instance backup encrypted database

Jaime Maccou 0

How to backup Azure managed instance database that is TDE encryption enabled

Jaime Maccou 0 Reputation points

2024-11-13T21:20:54.58+00:00

I did not want to decrypt, take a backup and then encrypt again
ShaktiSingh-MSFT 15,766 Reputation points

2024-11-14T04:39:20.92+00:00

Hi Jaime Maccou •,

Welcome to Microsoft Q&A forum.

As I understand, you want to backup Azure SQL Managed Instance that is TDE Encrypted.

Taking manual COPY-ONLY backup of a database encrypted by service-managed TDE is not supported in Azure SQL Managed Instance, since the certificate used for encryption is not accessible. Use point-in-time-restore feature to move this type of database to another SQL Managed Instance, or switch to customer-managed key.

You may try to perform Restore of backup file but when you export a TDE-protected database, the exported content of the database isn't encrypted. This exported content is stored in unencrypted BACPAC files. Be sure to protect the BACPAC files appropriately and enable TDE after import of the new database is finished.

For example, if the BACPAC file is exported from a SQL Server instance, the imported content of the new database isn't automatically encrypted. Likewise, if the BACPAC file is imported to a SQL Server instance, the new database also isn't automatically encrypted.

The one exception is when you export a database to and from SQL Database. TDE is enabled on the new database, but the BACPAC file itself still isn't encrypted.

For more details refer here:

https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&tabs=azure-portal

Let us know if this helps or you have a different ask.

Thanks
ShaktiSingh-MSFT 15,766 Reputation points

2024-11-15T03:36:42.1566667+00:00

Hi Jaime Maccou •,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have found resolution, please do share that same with the community as it can be helpful to others.

Else, please share more details and we will try to help.

Thanks
Jaime Maccou 0 Reputation points

2024-11-15T05:01:40.39+00:00

Thank for the information. Since backing TDE encrypted Database to Blob Storage is not supported. I chose to use bacpac and upload to the blob storage container. Option kept break the folder and the connection. The database size 67 GB and blob type is Block blob.
ShaktiSingh-MSFT 15,766 Reputation points

2024-11-20T03:58:12.91+00:00

Hi Jaime Maccou •,

Just checking if the provided reply helped or you have a different ask.

Thanks

2 answers

Luis Arias 7,526 Reputation points

2024-11-13T22:35:46.3833333+00:00
Hello ,

For Azure SQL Managed Instance, no special operation is needed to back up or restore a TDE-enabled database, as TDE is managed natively by Azure:

Automated Backups: Azure SQL Managed Instance automatically backs up TDE-encrypted databases to geo-redundant storage. You don't need additional steps for backup, as TDE encryption is applied transparently.

Manual Backups (Optional): If you need manual backups (e.g., BACKUP TO URL), you can create them directly to Azure Blob Storage, and TDE encryption remains in place without additional actions. The backup file is encrypted and can only be restored on compatible instances.

Restoration: When restoring, the instance will automatically manage TDE. No decryption or re-encryption is required, as Azure handles the encryption keys and settings.

References

Transparent Data Encryption (TDE) for Azure SQL Database

Automated Backups and Manual Backups for Azure SQL Managed Instance

If this clarifies your question, please accept the answer.

Luis
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
ShaktiSingh-MSFT 15,766 Reputation points

2024-11-18T09:12:48.9866667+00:00
Hi Jaime Maccou •,

Thanks for the details and sorry about the inconvenience you are facing.

If you're exporting to blob storage, the maximum size of a BACPAC file is 200 GB. To archive a larger BACPAC file, export to local storage with SqlPackage.

For larger databases, BACPAC export/import might take a long time, and might fail for various reasons.

BACPACs are not intended to be used for backup and restore operations. Azure automatically creates backups for every user database. For details, see business continuity overview and Automated backups in Azure SQL Database or Automated backups in Azure SQL Managed Instance.

Azure SQL Managed Instance doesn't currently support exporting a database to a BACPAC file using the Azure portal or Azure PowerShell. To export a managed instance into a BACPAC file, use SQL Server Management Studio (SSMS) or SQLPackage.

Please try SQLPackage if that helps and let us know the result.

Thanks
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure managed instance backup encrypted database

2 answers

Your answer