Consider the following Scenario, You are using SQL Server 2008 Enterprise edition RTM or higher version and you are Transparent database encryption (new feature introduce in SQL Server 2008) to encrypt the Database to be mirrored. The database encryption key has been encrypted using a server certificate and which is turn encrypted using master database key (usually a symmetric key).
When trying to setup database mirror using SSMS you might get the below exception
<Exception>
TITLE: Database Properties
------------------------------
An error occurred while starting mirroring.
------------------------------
ADDITIONAL INFORMATION:
Alter failed for Database '<DB_NAME>'. (Microsoft.SqlServer.Smo)
------------------------------
Alter failed for DatabaseEncryptionKey 'Microsoft.SqlServer.Management.Smo.ObjectKeyBase'. (Microsoft.SqlServer.Smo)
------------------------------
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
------------------------------
Database '<DB_NAME>' cannot be opened. It is in the middle of a restore. (Microsoft SQL Server, Error: 927)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=10.00.1787&EvtSrc=MSSQLServer&EvtID=927&LinkId=20476
------------------------------
BUTTONS:
OK
------------------------------
</Exception>
It seems to be an issue with SSMS GUI. To workaround this problem you can use T-SQL to setup Database Mirroring in SQL Server 2008 of an encrypted database.
Here, I am going to explain the setup by step procedure on how to encrypt the database using TDE and then mirror the encrypted database using T-SQL.
On the Principal Site
======================
/* Create a Database Master Key in the Master Database which should be secured by a password. If you omit to specify the encryption mechanism (password) while creating the MASTER KEY, the database master key gets encrypted by SERVICE MASTER KEY (default behavior). In that scenario you might need to export the service master key and copy/import it on the mirror site.
Since the database master key is a symmetric key used to protect the private keys of certificates and asymmetric keys that are present in the database.
Information about the database master key is visible in the sys.symmetric_keys catalog view.
If the database master key already exists and not in use or use wants to change the encryption algorithm or key protection mechanism, either you can the alter the database master key or drop and recreate it.
In my Test Scenario, I'm dropping the existing master key and creating a new master key encrypted with password */
--Check if the master key already present.
USEMaster
go
select*fromsys.symmetric_keys
--Drop the existing Master Key
Use MASETR
GO
DROP MASTER KEY
Go
--Create Master Key in Master Database
USE MASTER
GO
CREATEMASTERKEYENCRYPTIONBYPASSWORD='<TypeStrongPassword>';
go
**Note : TypeStrongPassword should remain same throughout the setup.
--Create Server Certificate in the Master Database encrypted with master key (created above) which would be used to create USER database encryption key.
USEMaster;
GO
CREATECERTIFICATE<MyDB_Mirror_Server_Cert> WITHSUBJECT='SQL TDE CERT'
Go
*Note : Replace <MyDB_Mirror_Server_Cert> with the name of Certificate. You can specify any name of your choice. Also you can change the SUBJECT to a more meaningful description.
-- Now in the User database, create a Database Encryption Key. In my test scenario, I'm dropping the existing Database Encryption Key if already exist and not in use.
-- Information about the database encryption keys is stored in sys.dm_database_encryption_keys.
USE<UserDatabase>
go
DROPDATABASEENCRYPTIONKEY
go
CREATEDATABASEENCRYPTIONKEY
WITH ALGORITHM =AES_128
ENCRYPTIONBYSERVERCERTIFICATE<MyDB_Mirror_Server_Cert>
GO
--Enabling Transparent Database Encryption for the USER Database
USEmaster;
GO
ALTERDATABASE<UserDatabase>SETENCRYPTIONON
GO
-- Now Backup master key immediately
USEmaster;
OPENMASTERKEYDECRYPTIONBYPASSWORD='<TypeStrongPassword>';
BACKUPMASTERKEYTOFILE='<Full path and exportmasterkey filename>’
ENCRYPTIONBYPASSWORD='<TypeStrongPassword>';
GO
**Note: Replace <Full path and exportmasterkey filename> with full path and export file name. Also Replace <TypeStrongPassword> with the actual password use to encrypt the master key.
-- Now Backup Server certificate as well
BACKUPCERTIFICATE<MyDB_Mirror_Server_Cert> TOFILE='<Full path and export cert filename>'
WITHPRIVATEKEY(FILE='<Full path and export filename _key>',
ENCRYPTIONBYPASSWORD='<TypeStrongPassword>');
GO
-- Perform Full database backup of the Principal database
On the Mirrored Site
====================
/* On Mirror Server, restore the master key from backup performed from principal site. Since the database master key is a symmetric key used to protect the private keys of certificates and asymmetric keys that are present in the database. Information about the database master key is visible in the sys.symmetric_keys catalog view.
If the database master key already exists and not in use, drop the existing database master key (if any) and restore it from backup taken from principal site.
In my Test Scenario, I'm dropping the existing master key and restoring the master key from backup taken from principal site */
usemaster
go
dropmasterkey
go
RESTOREMASTERKEY
FROMFILE=' Full path and exportmasterkey filename>'
DECRYPTIONBYPASSWORD='<TypeStrongPassword>'
ENCRYPTIONBYPASSWORD='<TypeStrongPassword>';
GO
-- Create server certificate on the mirror site using the PRIVATE KEY backed up from principal site
USEMaster;
GO
DROPCERTIFICATE<MyDB_Mirror_Server_Cert>
go
OPENMASTERKEYDECRYPTIONBYPASSWORD='<TypeStrongPassword>'
CREATECERTIFICATE<MyDB_Mirror_Server_Cert>
FROMFILE='<Full path and export cert filename>'
WITHPRIVATEKEY(FILE='<Full path and export filename _key>',
DECRYPTIONBYPASSWORD='<TypeStrongPassword>');
GO
-- Restore the database from backup with NORECOVERY
RESTOREDATABASE<UserDatabase>
FROMdisk='C:\Program Files\Microsoft SQL Server\MSSQL10.x\MSSQL\Backup\<Backup_FileName>.bak'
WITHNORECOVERY,
MOVE'<Primary FileGroup>'TO
'C:\Program Files\Microsoft SQL Server\MSSQL10.y\MSSQL\DATA\<PrimaryDB_File>.mdf',
MOVE'<Logical File name of LogFile>'
TO'C:\Program Files\Microsoft SQL Server\MSSQL10.y\MSSQL\DATA\<Log_File>.ldf'
Where x = Instance ID of the Principle Server and y = Instance ID of Mirror Server
-- On the Mirrored Site, drop the existing mirroring endpoint and create the database mirroring endpoint as follows
DROPENDPOINT<endpoint_mirroring>
CREATEENDPOINT<endpoint_mirroring>
STATE=STARTED
ASTCP(LISTENER_PORT= 7023 )
FORDATABASE_MIRRORING(ROLE=PARTNER);
GO
-- Verify that the endpoint is properly configured and is in state "STARTED"
select*fromsys.database_mirroring_endpoints
--On the primary site, drop the existing mirroring endpoint and create the database mirroring endpoint as follows
DROPENDPOINT<endpoint_mirroring>
CREATEENDPOINT<endpoint_mirroring>
STATE=STARTED
ASTCP(LISTENER_PORT= 7022 )
FORDATABASE_MIRRORING(ROLE=PARTNER);
GO
-- Verify that the endpoint is properly configured and is in state "STARTED"
select*fromsys.database_mirroring_endpoints
-- First set the principal server as partner on the mirror database
ALTERDATABASE<UserDatabase> SETPARTNER='TCP://<FQDN of the Principal Server>:7022'
-- Now set the Mirror server as partner on the principal database
ALTERDATABASE<UserDatabase> SETPARTNER='TCP://<FQDN of the Mirror Server>:7023'
Now the DATABASE Mirroring has been successfully setup when using Transparent Data Encryption in SQL Server 2008.
You can test and verify failover works fine either using SSMS or the T-SQL command.
Gurwinderjit Singh
Tech Lead, Microsoft SQL Server