Azure TDE enabled MI with custom keys cross subscription backup and restore

SethuRam 66 Reputation points
2021-09-24T15:50:47.337+00:00

Hi,
I have a Azure MI with TDE custom key enabled integrated with key vault on subcription "abc"(consider this as production environment). I have a use case to take a COPYONLY backup(.bak) to azure blog storage and use this backup and restore it to another Azure MI with TDE enabled (which is on different subscription "xyz").
Is it possible in TDE enabled azure MI to do backup and restore across another subscription Azure MI (with TDE enabled)? using custom managed keys ? if you could you please let me know the steps involved?

Azure SQL Database
Accepted answer
  1. Anurag Sharma 17,571 Reputation points
    2021-09-27T05:44:29.557+00:00

    Hi @SethuRam , welcome to Microsoft Q&A forum.

    As per the article, "In Azure SQL Managed Instance copy-only backup cannot be created for a database encrypted with service-managed Transparent Data Encryption (TDE). Service-managed TDE uses internal key for encryption of data, and that key cannot be exported, so you could not restore the backup anywhere else. Consider using customer-managed TDE instead to be able to create copy-only backups of encrypted databases, but make sure to have encryption key available for later restore."

    So firstly we need to use the Customer-managed TDE if we want to take copy-only backup and then we can restore it across subscription as mentioned in the below articles:

    Copy-Only Backups - Please note this article explains the process of creating the backup in the local system. However we can use command like below to restore it on Azure Blob Storage: 

     USE [master]  
  
BACKUP DATABASE [SQLTestDB]   
TO  URL = N'https://msftutorialstorage.blob.core.windows.net/sql-backup/sqltestdb_backup_2020_01_01_000001.bak'   
WITH  COPY_ONLY, CHECKSUM  
GO

    I have not tried this command myself but you can refer to SQL backup and restore to Azure Blob storage service

    Restore a database to Azure SQL Managed Instance with SSMS

    Please let me know if this helps or else we can discuss further on the same.

    ----------

    Please don't forgot to click on accept it as answer button 134683-image.png wherever the information provided helps you. This can be beneficial to other community members as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest