Migrate to Innovate Summit:
Learn how migrating and modernizing to Azure can boost your business's performance, resilience, and security, enabling you to fully embrace AI.Register now
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In this article, learn how to migrate the certificate before you migrate your TDE-protected SQL Server database to Azure SQL Managed Instance by using the native restore option.
When you migrate a database protected by Transparent Data Encryption (TDE) from SQL Server to Azure SQL Managed Instance using the native restore option, you must first migrate the corresponding certificate before you restore the database to SQL managed instance.
Alternatively, you can use the fully managed Azure Database Migration Service to seamlessly migrate both a TDE-protected database and the corresponding certificate.
This article focuses on migrating databases from SQL Server to Azure SQL Managed Instance. To move databases between SQL managed instances, review:
To complete the steps in this article, you need the following prerequisites:
Pvk2Pfx command-line tool installed on the on-premises server or other computer with access to the certificate exported as a file. The Pvk2Pfx tool is part of the Enterprise Windows Driver Kit, a self-contained command-line environment.
The certificate can be exported directly from the source SQL Server instance, or from the certificate store if it's being kept there.
Export the certificate from the source SQL Server instance
Use the following steps to export the certificate with SQL Server Management Studio and convert it into .pfx format. The generic names TDE_Cert and full_path are being used for certificate and file names and paths through the steps. They should be replaced with the actual names.
In SSMS, open a new query window and connect to the source SQL Server instance.
Use the following script to list TDE-protected databases and get the name of the certificate protecting encryption of the database to be migrated:
SQL
USEmasterGOSELECT db.name as [database_name], cer.name as [certificate_name]
FROM sys.dm_database_encryption_keys dek
LEFTJOIN sys.certificates cer
ON dek.encryptor_thumbprint = cer.thumbprint
INNERJOIN sys.databases db
ON dek.database_id = db.database_id
WHERE dek.encryption_state = 3
Execute the following script to export the certificate to a pair of files (.cer and .pvk), keeping the public and private key information:
If the certificate is kept in the SQL Server local machine certificate store, it can be exported using the following steps:
Open the PowerShell console and execute the following command to open the Certificates snap-in of Microsoft Management Console:
Windows Command Prompt
certlm
In the Certificates MMC snap-in, expand the path Personal > Certificates to see the list of certificates.
Right-click the certificate and click Export.
Follow the wizard to export the certificate and private key to a .pfx format.
Upload the certificate to Azure SQL Managed Instance using an Azure PowerShell cmdlet
Important
A migrated certificate is only used to restore the TDE-protected database. Shortly after the restore completes, the migrated certificate is replaced by a different protector, either a service-managed certificate or an asymmetric key from the key vault, depending on the type of TDE you set on the instance.
# import the module into the PowerShell sessionImport-Module Az
# connect to Azure with an interactive dialog for sign-inConnect-AzAccount# list subscriptions available and copy id of the subscription target the managed instance belongs toGet-AzSubscription# set subscription for the sessionSelect-AzSubscription <subscriptionId>
Once all preparation steps are done, run the following commands to upload base-64 encoded certificate to the target managed instance:
Azure PowerShell
# If you are using PowerShell 6.0 or higher, run this command:$fileContentBytes = Get-Content'C:/full_path/TDE_Cert.pfx' -AsByteStream# If you are using PowerShell 5.x, uncomment and run this command instead of the one above:# $fileContentBytes = Get-Content 'C:/full_path/TDE_Cert.pfx' -Encoding Byte$base64EncodedCert = [System.Convert]::ToBase64String($fileContentBytes)
$securePrivateBlob = $base64EncodedCert | ConvertTo-SecureString -AsPlainText -Force$password = "<password>"$securePassword = $password | ConvertTo-SecureString -AsPlainText -ForceAdd-AzSqlManagedInstanceTransparentDataEncryptionCertificate -ResourceGroupName"<resourceGroupName>" `
-ManagedInstanceName"<managedInstanceName>" -PrivateBlob$securePrivateBlob -Password$securePassword
The certificate is now available to the specified managed instance, and the backup of the corresponding TDE-protected database can be restored successfully.
Note
Uploaded certificate is not visible in the sys.certificates catalog view. To confirm successful upload of the certificate you can run RESTORE FILELISTONLY command.
Next steps
In this article, you learned how to migrate a certificate protecting the encryption key of a database with Transparent Data Encryption, from the on-premises or IaaS SQL Server instance to Azure SQL Managed Instance.
Discover the tools and features available to migrate SQL workloads from on-premises to Azure Virtual Machines (VMs), including the Azure SQL Migration extension for Azure Data Studio and Data Migration Assistant.
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.
Learn how to migrate on-premises SQL Server TDE-enabled databases (preview) to Azure SQL by using Azure Data Studio and Azure Database Migration Service.
Learn how to respond to a potentially compromised TDE protector for Azure SQL Database or Azure Synapse Analytics using TDE with Bring Your Own Key (BYOK) support.
Learn how to automate the configuration of SQL Server encryption for use with Azure Key Vault. This topic explains how to use Azure Key Vault Integration with SQL virtual machines created with Resource Manager.
