I am trying to restore a full backup of a TDE encrypted database to an alternate server.
I overwrite an existing database on the destination server - but the restore fails even if I try creating a new database.
Prior to encrypting the databases, I was able to do this without any errors.
I have imported the certificate from the source server to the destination server and generated the database encryption key from the certificate using the same algorithm as was used for the encryption key on the source server.
The passwords for the the Master Key are different between the two servers.
The password used to encrypt the certificate backup file on the source server is different from the password for the Master Key.
When I created the certificate on the destination server, I gave it the same name as the certificate on the source server and used the password for the source certificate to decrypt.
Source:
CREATE MASTER KEY ENCRYPTION
BY PASSWORD='MasterPW@Source';
GO
CREATE CERTIFICATE My_Cert
WITH
SUBJECT='Database_Encryption';
GO
BACKUP CERTIFICATE My_Cert
TO FILE = 'C:\temp\My_Cert'
WITH PRIVATE KEY (file='C:\temp\My_Cert.pvk',
ENCRYPTION BY PASSWORD='CertPW@Source');
GO
USE SourceDB
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE My_Cert;
GO
Destination:
CREATE MASTER KEY ENCRYPTION
BY PASSWORD='MasterPW@Destination';
GO
CREATE CERTIFICATE My_Cert
FROM FILE = 'C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\My_Cert'
WITH PRIVATE KEY
(
FILE='C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\My_Cert.pvk',
DECRYPTION BY PASSWORD='CertPW@Source'
);
GO
USE DestinationDB
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE My_Cert;
GO
I used the following options when generating the database backup:
COPY_ONLY,
NOFORMAT,
NOINIT,
SKIP,
NOREWIND,
NOUNLOAD,
COMPRESSION
I copied the .bak file to the destination server with a simple robocopy command.
I tried to restore the database to the destination server with the following options:
FILE=1,
NOUNLOAD,
REPLACE
The restore operation fails with the message:
"The media family on device 'D:\Backup\SourceDB.bak' is incorrectly formed. SQL Server cannot process this media family." and the database gets stuck in a (Restoring...) state.
My research to this point has found three suggested causes for the error:
- TDE encrypted database cannot be restored if the backup was compressed; but I have the same problem regardless of compressed or uncompressed backup.
- The .bak file of a TDE encrypted database will get corrupted if transferred to a different server without using a binary protocol; but it is my understanding that RoboCopy uses a binary transfer protocol.
- The SQL Server version of the source database is greater than the version of the destination database; the version of my source is Microsoft SQL Server 2019 (RTM-CU16-GDR) (KB5014353) - 15.0.4236.7 (X64), and the version of my destination is Microsoft SQL Server 2019 (RTM-CU12) (KB5004524) - 15.0.4153.1 (X64)
Is the slight difference in the SQL Server versions enough to cause this error?
Have I done something incorrectly in the encryption and/or backup-restore process?
Any solutions or advice would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 23%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 2%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESX%3C/text%3E%3C/svg%3E)