How to find if SQL server backup is encrypted with TDE without restoring the backup The Next CEO of Stack OverflowRestoring a backup to an older version of SQL ServerCan I recover a TDE certificate by restoring the MASTER database?How do you copy a TDE-encrypted SQL Server database using T-SQL programatically?Backup SQL Server with VMwareRestoring encrypted database on another server (using Backup Encryption)A SQL Server database backup/restore issueIs network traffic encrypted when writing remote backups using SQL Server TDE?Restore SQL Server DB encrypted by EKM - where's the asymmetric key?Always Encrypted after restoring an old database backup using C#Restoring MS SQL TDE database question
Can Sri Krishna be called 'a person'?
Creating a script with console commands
How can I prove that a state of equilibrium is unstable?
How dangerous is XSS
Planeswalker Ability and Death Timing
Another proof that dividing by 0 does not exist is it right?
Calculating discount not working
subequations: How to continue numbering within subequation?
Compensation for working overtime on Saturdays
How can a day be of 24 hours?
How should I connect my cat5 cable to connectors having an orange-green line?
Why did early computer designers eschew integers?
Is a bad practice make variations on power's tracks width in pcb?
How do I secure a TV wall mount?
Is there a rule of thumb for determining the amount one should accept for of a settlement offer?
How seriously should I take size and weight limits of hand luggage?
Is it a bad idea to plug the other end of ESD strap to wall ground?
Could you use a laser beam as a modulated carrier wave for radio signal?
Salesforce opportunity stages
Plausibility of squid whales
Trying to insert a background image via TikZ results in extra white-space around the corners
What is Decreasing Arithmetic progression?
Is it correct to say moon starry nights?
Fastest algorithm to decide whether a (always halting) TM accepts a general string
How to find if SQL server backup is encrypted with TDE without restoring the backup
The Next CEO of Stack OverflowRestoring a backup to an older version of SQL ServerCan I recover a TDE certificate by restoring the MASTER database?How do you copy a TDE-encrypted SQL Server database using T-SQL programatically?Backup SQL Server with VMwareRestoring encrypted database on another server (using Backup Encryption)A SQL Server database backup/restore issueIs network traffic encrypted when writing remote backups using SQL Server TDE?Restore SQL Server DB encrypted by EKM - where's the asymmetric key?Always Encrypted after restoring an old database backup using C#Restoring MS SQL TDE database question
Is there a way to find from the SQL Server Backup file or MSDB tables if the backup is encrypted with TDE without trying to restore the backup file?
Thanks
sql-server
New contributor
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Is there a way to find from the SQL Server Backup file or MSDB tables if the backup is encrypted with TDE without trying to restore the backup file?
Thanks
sql-server
New contributor
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Is there a way to find from the SQL Server Backup file or MSDB tables if the backup is encrypted with TDE without trying to restore the backup file?
Thanks
sql-server
New contributor
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Is there a way to find from the SQL Server Backup file or MSDB tables if the backup is encrypted with TDE without trying to restore the backup file?
Thanks
sql-server
sql-server
New contributor
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
yegnasewyegnasew
333
333
New contributor
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
yegnasew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Imagine for a second that you've got a 1 terabyte database. Backing it up takes a while, and encrypting it takes a while. So imagine that:
- 9:00 AM - you start taking a full backup
- 9:01 AM - in another window, you start enabling TDE on the database
- 9:05 AM - the backup completes
- 9:10 AM - TDE completes
What would you expect your query to return, given that as soon as you finish restoring the full backup, it's going to continue applying TDE, encrypting the rest of your database?
Conversely, imagine that you start with an already-encrypted database, and:
- 9:00 AM - you remove TDE (which takes some time)
- 9:01 AM - you start a full backup
- 9:05 AM - the data pages are no longer encrypted
- 9:06 AM - your full backup completes
What would you expect the query to return? These are example scenarios of why TDE encryption isn't one of the fields included in msdb.dbo.backupset.
The backupset containskey_algorithmcolumn. If it hasNO_Encryptionthen the backup is not encrypted. This is same column that a restore with headeronly will expose.
– Kin
3 hours ago
@Kin - I believe the OP is interested in knowing whether the backup is from a TDE database, but not necessarily created using backup encryption. Correct me if I'm wrong, but it seems thatkey_algorithmis only used to indicate backup encryption, not TDE encryption. My backups of TDE databases have nulls in KeyAlgorithm. Am I missing something?
– Scott Hodgin
3 hours ago
Thank You all for a quick response and @ScottHodgin yes I wanted to know if the backup is from a TDE database and Brent's answer made it clear.
– yegnasew
2 hours ago
add a comment |
I up-voted Brent's answer, as his scenario could definitely muddy the water on whether the backup contained TDE data.
However, if you've had TDE enabled for a while, it seems that RESTORE FILELISTONLY (Transact-SQL) might provide the information you're after. There is a column on the result set called TDEThumbprint which "Shows the thumbprint of the Database Encryption Key. The encryptor thumbprint is a SHA-1 hash of the certificate with which the key is encrypted."
I looked at some of my backups which were both TDE encrypted and not TDE encrypted.
The backups of my TDE databases had the certificate thumbprint in that column and the backups that did not have TDE databases had null.
1
+1 for answering the question
– FreeSoftwareServers
1 hour ago
add a comment |
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "182"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
yegnasew is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f233674%2fhow-to-find-if-sql-server-backup-is-encrypted-with-tde-without-restoring-the-bac%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Imagine for a second that you've got a 1 terabyte database. Backing it up takes a while, and encrypting it takes a while. So imagine that:
- 9:00 AM - you start taking a full backup
- 9:01 AM - in another window, you start enabling TDE on the database
- 9:05 AM - the backup completes
- 9:10 AM - TDE completes
What would you expect your query to return, given that as soon as you finish restoring the full backup, it's going to continue applying TDE, encrypting the rest of your database?
Conversely, imagine that you start with an already-encrypted database, and:
- 9:00 AM - you remove TDE (which takes some time)
- 9:01 AM - you start a full backup
- 9:05 AM - the data pages are no longer encrypted
- 9:06 AM - your full backup completes
What would you expect the query to return? These are example scenarios of why TDE encryption isn't one of the fields included in msdb.dbo.backupset.
The backupset containskey_algorithmcolumn. If it hasNO_Encryptionthen the backup is not encrypted. This is same column that a restore with headeronly will expose.
– Kin
3 hours ago
@Kin - I believe the OP is interested in knowing whether the backup is from a TDE database, but not necessarily created using backup encryption. Correct me if I'm wrong, but it seems thatkey_algorithmis only used to indicate backup encryption, not TDE encryption. My backups of TDE databases have nulls in KeyAlgorithm. Am I missing something?
– Scott Hodgin
3 hours ago
Thank You all for a quick response and @ScottHodgin yes I wanted to know if the backup is from a TDE database and Brent's answer made it clear.
– yegnasew
2 hours ago
add a comment |
Imagine for a second that you've got a 1 terabyte database. Backing it up takes a while, and encrypting it takes a while. So imagine that:
- 9:00 AM - you start taking a full backup
- 9:01 AM - in another window, you start enabling TDE on the database
- 9:05 AM - the backup completes
- 9:10 AM - TDE completes
What would you expect your query to return, given that as soon as you finish restoring the full backup, it's going to continue applying TDE, encrypting the rest of your database?
Conversely, imagine that you start with an already-encrypted database, and:
- 9:00 AM - you remove TDE (which takes some time)
- 9:01 AM - you start a full backup
- 9:05 AM - the data pages are no longer encrypted
- 9:06 AM - your full backup completes
What would you expect the query to return? These are example scenarios of why TDE encryption isn't one of the fields included in msdb.dbo.backupset.
The backupset containskey_algorithmcolumn. If it hasNO_Encryptionthen the backup is not encrypted. This is same column that a restore with headeronly will expose.
– Kin
3 hours ago
@Kin - I believe the OP is interested in knowing whether the backup is from a TDE database, but not necessarily created using backup encryption. Correct me if I'm wrong, but it seems thatkey_algorithmis only used to indicate backup encryption, not TDE encryption. My backups of TDE databases have nulls in KeyAlgorithm. Am I missing something?
– Scott Hodgin
3 hours ago
Thank You all for a quick response and @ScottHodgin yes I wanted to know if the backup is from a TDE database and Brent's answer made it clear.
– yegnasew
2 hours ago
add a comment |
Imagine for a second that you've got a 1 terabyte database. Backing it up takes a while, and encrypting it takes a while. So imagine that:
- 9:00 AM - you start taking a full backup
- 9:01 AM - in another window, you start enabling TDE on the database
- 9:05 AM - the backup completes
- 9:10 AM - TDE completes
What would you expect your query to return, given that as soon as you finish restoring the full backup, it's going to continue applying TDE, encrypting the rest of your database?
Conversely, imagine that you start with an already-encrypted database, and:
- 9:00 AM - you remove TDE (which takes some time)
- 9:01 AM - you start a full backup
- 9:05 AM - the data pages are no longer encrypted
- 9:06 AM - your full backup completes
What would you expect the query to return? These are example scenarios of why TDE encryption isn't one of the fields included in msdb.dbo.backupset.
Imagine for a second that you've got a 1 terabyte database. Backing it up takes a while, and encrypting it takes a while. So imagine that:
- 9:00 AM - you start taking a full backup
- 9:01 AM - in another window, you start enabling TDE on the database
- 9:05 AM - the backup completes
- 9:10 AM - TDE completes
What would you expect your query to return, given that as soon as you finish restoring the full backup, it's going to continue applying TDE, encrypting the rest of your database?
Conversely, imagine that you start with an already-encrypted database, and:
- 9:00 AM - you remove TDE (which takes some time)
- 9:01 AM - you start a full backup
- 9:05 AM - the data pages are no longer encrypted
- 9:06 AM - your full backup completes
What would you expect the query to return? These are example scenarios of why TDE encryption isn't one of the fields included in msdb.dbo.backupset.
answered 3 hours ago
Brent OzarBrent Ozar
35.7k19109241
35.7k19109241
The backupset containskey_algorithmcolumn. If it hasNO_Encryptionthen the backup is not encrypted. This is same column that a restore with headeronly will expose.
– Kin
3 hours ago
@Kin - I believe the OP is interested in knowing whether the backup is from a TDE database, but not necessarily created using backup encryption. Correct me if I'm wrong, but it seems thatkey_algorithmis only used to indicate backup encryption, not TDE encryption. My backups of TDE databases have nulls in KeyAlgorithm. Am I missing something?
– Scott Hodgin
3 hours ago
Thank You all for a quick response and @ScottHodgin yes I wanted to know if the backup is from a TDE database and Brent's answer made it clear.
– yegnasew
2 hours ago
add a comment |
The backupset containskey_algorithmcolumn. If it hasNO_Encryptionthen the backup is not encrypted. This is same column that a restore with headeronly will expose.
– Kin
3 hours ago
@Kin - I believe the OP is interested in knowing whether the backup is from a TDE database, but not necessarily created using backup encryption. Correct me if I'm wrong, but it seems thatkey_algorithmis only used to indicate backup encryption, not TDE encryption. My backups of TDE databases have nulls in KeyAlgorithm. Am I missing something?
– Scott Hodgin
3 hours ago
Thank You all for a quick response and @ScottHodgin yes I wanted to know if the backup is from a TDE database and Brent's answer made it clear.
– yegnasew
2 hours ago
The backupset contains
key_algorithm column. If it has NO_Encryption then the backup is not encrypted. This is same column that a restore with headeronly will expose.– Kin
3 hours ago
The backupset contains
key_algorithm column. If it has NO_Encryption then the backup is not encrypted. This is same column that a restore with headeronly will expose.– Kin
3 hours ago
@Kin - I believe the OP is interested in knowing whether the backup is from a TDE database, but not necessarily created using backup encryption. Correct me if I'm wrong, but it seems that
key_algorithm is only used to indicate backup encryption, not TDE encryption. My backups of TDE databases have nulls in KeyAlgorithm. Am I missing something?– Scott Hodgin
3 hours ago
@Kin - I believe the OP is interested in knowing whether the backup is from a TDE database, but not necessarily created using backup encryption. Correct me if I'm wrong, but it seems that
key_algorithm is only used to indicate backup encryption, not TDE encryption. My backups of TDE databases have nulls in KeyAlgorithm. Am I missing something?– Scott Hodgin
3 hours ago
Thank You all for a quick response and @ScottHodgin yes I wanted to know if the backup is from a TDE database and Brent's answer made it clear.
– yegnasew
2 hours ago
Thank You all for a quick response and @ScottHodgin yes I wanted to know if the backup is from a TDE database and Brent's answer made it clear.
– yegnasew
2 hours ago
add a comment |
I up-voted Brent's answer, as his scenario could definitely muddy the water on whether the backup contained TDE data.
However, if you've had TDE enabled for a while, it seems that RESTORE FILELISTONLY (Transact-SQL) might provide the information you're after. There is a column on the result set called TDEThumbprint which "Shows the thumbprint of the Database Encryption Key. The encryptor thumbprint is a SHA-1 hash of the certificate with which the key is encrypted."
I looked at some of my backups which were both TDE encrypted and not TDE encrypted.
The backups of my TDE databases had the certificate thumbprint in that column and the backups that did not have TDE databases had null.
1
+1 for answering the question
– FreeSoftwareServers
1 hour ago
add a comment |
I up-voted Brent's answer, as his scenario could definitely muddy the water on whether the backup contained TDE data.
However, if you've had TDE enabled for a while, it seems that RESTORE FILELISTONLY (Transact-SQL) might provide the information you're after. There is a column on the result set called TDEThumbprint which "Shows the thumbprint of the Database Encryption Key. The encryptor thumbprint is a SHA-1 hash of the certificate with which the key is encrypted."
I looked at some of my backups which were both TDE encrypted and not TDE encrypted.
The backups of my TDE databases had the certificate thumbprint in that column and the backups that did not have TDE databases had null.
1
+1 for answering the question
– FreeSoftwareServers
1 hour ago
add a comment |
I up-voted Brent's answer, as his scenario could definitely muddy the water on whether the backup contained TDE data.
However, if you've had TDE enabled for a while, it seems that RESTORE FILELISTONLY (Transact-SQL) might provide the information you're after. There is a column on the result set called TDEThumbprint which "Shows the thumbprint of the Database Encryption Key. The encryptor thumbprint is a SHA-1 hash of the certificate with which the key is encrypted."
I looked at some of my backups which were both TDE encrypted and not TDE encrypted.
The backups of my TDE databases had the certificate thumbprint in that column and the backups that did not have TDE databases had null.
I up-voted Brent's answer, as his scenario could definitely muddy the water on whether the backup contained TDE data.
However, if you've had TDE enabled for a while, it seems that RESTORE FILELISTONLY (Transact-SQL) might provide the information you're after. There is a column on the result set called TDEThumbprint which "Shows the thumbprint of the Database Encryption Key. The encryptor thumbprint is a SHA-1 hash of the certificate with which the key is encrypted."
I looked at some of my backups which were both TDE encrypted and not TDE encrypted.
The backups of my TDE databases had the certificate thumbprint in that column and the backups that did not have TDE databases had null.
answered 3 hours ago
Scott HodginScott Hodgin
18k21635
18k21635
1
+1 for answering the question
– FreeSoftwareServers
1 hour ago
add a comment |
1
+1 for answering the question
– FreeSoftwareServers
1 hour ago
1
1
+1 for answering the question
– FreeSoftwareServers
1 hour ago
+1 for answering the question
– FreeSoftwareServers
1 hour ago
add a comment |
yegnasew is a new contributor. Be nice, and check out our Code of Conduct.
yegnasew is a new contributor. Be nice, and check out our Code of Conduct.
yegnasew is a new contributor. Be nice, and check out our Code of Conduct.
yegnasew is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f233674%2fhow-to-find-if-sql-server-backup-is-encrypted-with-tde-without-restoring-the-bac%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
