| description | BACKUP MASTER KEY (Transact-SQL) | ||||||
|---|---|---|---|---|---|---|---|
| title | BACKUP MASTER KEY (Transact-SQL) | Microsoft Docs | ||||||
| ms.custom | |||||||
| ms.date | 05/24/2022 | ||||||
| ms.prod | sql | ||||||
| ms.prod_service | sql-database | ||||||
| ms.reviewer | |||||||
| ms.technology | t-sql | ||||||
| ms.topic | reference | ||||||
| f1_keywords |
|
||||||
| dev_langs |
|
||||||
| helpviewer_keywords |
|
||||||
| author | VanMSFT | ||||||
| ms.author | vanto |
[!INCLUDE SQL Server]
Exports the database master key.
Important
SQL Server 2022 introduces backup and restore support for the database master key to and from an Azure Blob storage. The URL syntax is only available for SQL Server 2022 or later.
Transact-SQL Syntax Conventions
BACKUP MASTER KEY TO
{
FILE = 'path_to_file'
| URL = 'Azure Blob storage URL'
}
ENCRYPTION BY PASSWORD = 'password'
[!INCLUDEsql-server-tsql-previous-offline-documentation]
FILE ='path_to_file'
Specifies the complete path, including file name, to the file to which the master key will be exported. The path may be a local path or a UNC path to a network location.
URL ='Azure Blob storage URL'
Applies to: SQL Server 2022 or later
Is the URL for your Azure Blob storage, in the format similar to https://<storage_account_name>.blob.core.windows.net/<storage_container_name>/<backup_file_name>.bak.
ENCRYPTION BY PASSWORD ='password'
Is the password used to encrypt the master key in the file. This password is subject to complexity checks. For more information, see Password Policy.
The master key must be open and, therefore, decrypted before it's backed up. If it's encrypted with the service master key, the master key doesn't have to be explicitly opened. But if the master key is encrypted only with a password, it must be explicitly opened.
We recommend that you back up the master key as soon as it's created, and store the backup in a secure, off-site location.
If you're using SQL Server 2022 or later, and want to back up the database master key to an Azure Blob storage, the following prerequisites apply:
-
Have an Azure storage account.
-
Create a SQL Server credential using a shared access signature.
For more information, see Tutorial: Use Azure Blob Storage with SQL Server.
Requires CONTROL permission on the database.
The following example creates a backup of the AdventureWorks2012 master key to a file. Because this master key isn't encrypted by the service master key, a password must be specified when it's opened.
USE AdventureWorks2012;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'sfj5300osdVdgwdfkli7';
BACKUP MASTER KEY TO FILE = 'c:\temp\AdventureWorks2012_master_key'
ENCRYPTION BY PASSWORD = 'sd092735kjn$&adsg';
GO The following example creates a backup of the AdventureWorks2012 master key to an Azure Blob storage. Because this master key isn't encrypted by the service master key, a password must be specified when it's opened.
USE AdventureWorks2012;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'sfj5300osdVdgwdfkli7';
BACKUP MASTER KEY TO URL = 'https://mydocsteststorage.blob.core.windows.net/mytestcontainer/AdventureWorks2012_master_key.bak'
ENCRYPTION BY PASSWORD = 'sd092735kjn$&adsg';
GO CREATE MASTER KEY (Transact-SQL)
OPEN MASTER KEY (Transact-SQL)
CLOSE MASTER KEY (Transact-SQL)
RESTORE MASTER KEY (Transact-SQL)
ALTER MASTER KEY (Transact-SQL)
DROP MASTER KEY (Transact-SQL)
Encryption Hierarchy
BACKUP SYMMETRIC KEY