Tuesday, April 26, 2011 1:54 PM
I am new to TDE and trying to enable TDE for the new project. We have been asked to use a certificate generated by the internal CA.
i have got the certificate as TDE_migration.cer, and did the following stuffs
1. CREATE MASTER KEY ENCRYPTION BY PASSWORD ='Rescdjban#567@Rtes'
<success fully executed the above>
2. CREATE CERTIFICATE TDE_migration_CERT FROM FILE = 'E:\DBA\TDE_migration.cer'
3. Use <DBName>
<failed with the following error>
Msg 15556, Level 16, State 1, Line 1
Cannot decrypt or encrypt using the specified certificate, either because it has no private key or because the password provided for the private key is incorrect.I am stuck here, can somebody help ?
Wednesday, April 27, 2011 11:26 PMModerator
The reason why TDE failed is that you only imported the public certificate, but not the corresponding private key (required by SQL to decrypt the DEK). You can use CREATE CERTIFICATE (or ALTER CERTIFICATE ) with the WITH PRIVATE KEY clause to import the private key.
NOTE: SQL Server currently only supports private keys for the certificates in PVK format.
An alternative may be to have a HSM-controlled asymmetric key to use for TDE. For more details please visit “HOW TO: Enable TDE using EKM” from BOL (http://msdn.microsoft.com/en-us/library/cc645957.aspx).
I hope this information helps,
This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked As Answer by Stephanie LvModerator Tuesday, May 03, 2011 11:54 AM
Thursday, April 28, 2011 9:58 AM
let me check if i can get the PVK file and keep this thread updated