Delen via


Back Up the Service Master Key

This topic describes how to back-up the Service Master key in SQL Server 2012 by using Transact-SQL. The service master key is the root of the encryption hierarchy. It should be backed up and stored in a secure, off-site location. Creating this backup should be one of the first administrative actions performed on the server.

In This Topic

  • Before you begin:

    Limitations and Restrictions

    Security

  • To back-up the Service Master key

Before You Begin

Limitations and Restrictions

  • The master key must be open and, therefore, decrypted before it is backed up. If it is encrypted with the service master key, the master key does not have to be explicitly opened; however, if the master key is encrypted only with a password, it must be explicitly opened.

  • We recommend that you back up the master key as soon as it is created, and store the backup in a secure, off-site location.

Security

Permissions

Requires CONTROL permission on the database.

Arrow icon used with Back to Top link[Top]

Using Transact-SQL

To back-up the Service Master key

  1. In SQL Server Management Studio, connect to the SQL Server instance containing the service master key you wish to back up.

  2. Choose a password that will be used to encrypt the service master key on the backup medium. This password is subject to complexity checks. For more information, see Password Policy.

  3. Obtain a removable backup medium for storing a copy of the backed-up key.

  4. Identify an NTFS directory in which to create the backup of the key. This is where you will create the file specified in the next step. The directory should be protected with highly restrictive access control lists (ACLs).

  5. In Object Explorer, connect to an instance of Database Engine.

  6. On the Standard bar, click New Query.

  7. Copy and paste the following example into the query window and click Execute.

    -- Creates a backup of the "AdventureWorks2012" master key.
    -- Because this master key is not encrypted by the service master key, a password must be specified when it is opened.
    USE AdventureWorks2012;
    GO
    BACKUP SERVICE MASTER KEY TO FILE = 'c:\temp_backups\keys\service_master_ key' 
        ENCRYPTION BY PASSWORD = '3dH85Hhk003GHk2597gheij4';
    GO
    
    -- Creates a backup of the "AdventureWorks2012" master key.
    -- Because this master key is not encrypted by the service master key, a password must be specified when it is opened.
    USE AdventureWorks2012;
    GO
    BACKUP SERVICE MASTER KEY TO FILE = 'c:\temp_backups\keys\service_master_ key' 
        ENCRYPTION BY PASSWORD = '3dH85Hhk003GHk2597gheij4';
    GO
    

    Note

    The file path to the key and the key's password (if it exists) will be different than what is indicated above. Make sure that both are specific to your server and key set-up.

  8. Copy the file to the backup medium and verify the copy.

  9. Store the backup in a secure, off-site location.

For more information, see OPEN MASTER KEY (Transact-SQL) and BACKUP MASTER KEY (Transact-SQL).

Arrow icon used with Back to Top link[Top]