Password is required when adding a database to AG group if the database has a master key

-

Moved this post from my old blog.

 When you are trying add a database having a ‘master key’ to a AG group, you will see the message in SSMS.


clipboard_image_4.png

You can’t move to next step until you put the correct password of the ‘master key’.

This is an requirement of SSMS to help you manage SQL Server database master key password in secondary replicas.

Why we have this requirement?

When a master key is created, it’s encrypted by both password and service master key.

create MASTER KEY ENCRYPTION BY PASSWORD = ‘Password1’;

This master key will be open automatically when it’s need for decryption or encryption. In this case, it is not necessary to use the ‘OPEN Master Key’ T-SQL statement.

However, when a database is first attached or restored to a new instance of SQL Server, a copy of the database master key (encrypted by the service master key) is not yet stored in the server. You must use the OPEN MASTER KEY statement to decrypt the database master key (DMK). Once the DMK has been decrypted, you have the option of enabling automatic decryption in the future by using the ALTER MASTER KEY REGENERATE statement to provision the server with a copy of the DMK, encrypted with the service master key.

Let’s go back to SQL Server Alwayson Availability group scenario. If the password is not provided, the database is able to restored in secondary replicas. However, the database master key can’t be opened automatically because it’s not managed by the Service Master key in the secondary replica. It may cause application fail.

To avoid this issue, SQL Server (since 2016) has this enhancement to open the database master key automatically in secondary replicas.

The wizard will call stored procedure sp_control_dbmasterkey_password in all replicas to create an credential containing the password of master key.


clipboard_image_5.png

When SQL Server needs a database master key to decrypt or encrypt a key, SQL Server tries to decrypt the database master key with the service master key of the instance. If the decryption fails, SQL Server searches the credential store for master key credentials that have the same family GUID as the database for which it needs the master key. SQL Server then tries to decrypt the database master key with each matching credential until the decryption succeeds or there are no more credentials.

This is transparent to application. The application is able to use encrypt/decrypt in secondary replicas as it does in primary replica without modifying any code.

Here is an example:

create database dbtest
go
use dbtest
go
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Password1';
---This database master key will be encrypted by service master key automatically.
go
CREATE CERTIFICATE [certTest] WITH SUBJECT = 'certTest2019'
---This certificate will be encrypted by database master key
go
CREATE SYMMETRIC KEY [symkey_Test] WITH ALGORITHM =AES_192 ENCRYPTION BY CERTIFICATE [certTest]
---this symmetric key will be encrypted by the certificate
go


Let’s create a stored procedure used to encrypt/decrypt. Assume application will call the stored procedure to do transactions.

create proc procTest
as
OPEN SYMMETRIC KEY [symkey_Test]  DECRYPTION BY CERTIFICATE [certTest]
declare @blob varbinary(1000)
declare @pt varchar(1000)
SET @blob = encryptbykey( key_guid( 'symkey_Test'), 'data' )
SET @pt = convert( varchar(1000), decryptbykey( @blob ))
SELECT @pt, @blob
close SYMMETRIC KEY [symkey_Test]
go

Once the database is stored to a different SQL Server instance. Running the ‘procTest’ will fails because the database master key can’t be opened by the SQL Server instance.

In your case, if master key is not used(encryption/description/service broker, etc ), cx can remove it.

An known issue: ‘sp_control_dbmasterkey_password’ is only executed if ‘full database and log backup’ option is checked in ‘Select Initial Data Synchronization’ section


clipboard_image_6.png

‘Checking password of the database master key’ is skipped if you use other options. And ‘sp_control_dbmasterkey_password’ is not called.


clipboard_image_7.png

Comments

Post a Comment

popular posts

SQL Server Polybase in Failover cluster instance

-
Image
Since SQL Server 2017, you can install Polybase in SQL Server Failover cluster instance. SQL Server Polybase Dms and SQL Server Polybase Engine are created in Failover cluster, mapping to SQL Server Polybase Data Movement and SQL Server Engine respectively.     And following two registers keys are created in all the nodes. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLPBENGINE$InstanceName Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLPBDMS$SQL19     Here are some cases that cause SQL Server Polybase engine fail to start. 1.TCP/IP Protocol is disabled. 2.Polybase engine service fail to connect SQL Server instance. 3.Polybase engine service account does not have permission to access database [DWConfiguration],[DWDiagnostics] and [DWQueue] 4.T he   SQL Server Polybase engine Roles does not exist in Failover cluster. 1)In this case, you need to manually add the role back to failover cluster. Please note, the regis
Read more

Tutorial: Create SQL Cluster(FCI) on RHEL

-
Image
  In the Windows world, SQL Server integrates into Windows Server Failover Cluster (WSFC) natively, and we have a dedicated installation for SQL Server Cluster. However, on Linux, you need to install standalone SQL Server instance in the nodes first, and then configure the instance as a SQL Server cluster instance. I use SQL Server 2019 with RHEL 8.x in this tutorial, but it is possible to use SQL Server 2017 in RHEL 7.x or RHEL 8 to configure FCI. Here is the step by step  Video   Topology           1.ISCSI target server configuration   1. The two highlighted two disks will be the used as Shared Storage.     sdc is for the database files in /var/opt/mssql/data sdd is for the user databases files. If all your databases are stored /var/opt/mssql/data, feel free to  ignore all the steps link to device sdd.   2.Run fdisk to create partition. fdisk /dev/sdc fdisk /dev/sdd   Run lsblk again     3.Install targetcli package. yum -y
Read more

Configure multiple-subnet Always On Availability Groups and failover cluster instances by modifying CIB

-
Image
In the Windows world, a Windows Server Failover Cluster (WSFC) natively supports multiple subnets and handles multiple IP addresses via an OR dependency on the IP address. On Linux, there is no OR dependency, but there is a way to achieve a proper multi-subnet natively with Pacemaker, as shown by the following. You cannot do this by simply using the normal Pacemaker command line to modify a resource. You need to modify the cluster information base (CIB). The CIB is an XML file with the Pacemaker configuration. Reference: https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-configure-multiple-subnet?view=sql-server-ver15 Here is an example to create a SQL Server Linux Availability group in 4 nodes in 3 subnets in RHEL 7.6   If you are already familiar with the AG Group setup process, please just jump to step 16. 1.Register your subscription on for all servers (red1,red2,red3 and red4 in this case) subscription-manager register   2.List all available subscription,
Read more

Realcase: Failed to upgrade SQL Server 2016 SP2 CU11. (Installation success or error status: 1648)

-
Image
  One of my customer failed to upgrade SQL Server 2016 SP2 CU11. Here is the troubleshooting steps 1.Check SQL Server setup log(C:\Program Files\Microsoft SQL Server\130\Setup Bootstrap\Log\) Detailed results: Feature: Database Engine Services Status: Failed: see logs for details Reason for failure: An error occurred for a dependency of the feature causing the setup process for the feature to fail. Next Step: Use the following information to resolve the error, and then try the setup process again. Component name: SQL Server Common Files Component error code: 1648 Component log file: C:\Program Files\Microsoft SQL Server\130\Setup Bootstrap\Log\20191217_193009\SQLAG\sql_common_core_Cpu64_1.log Error description: No valid sequence could be found for the set of updates. Error help link: http://go.microsoft.com/fwlink?LinkId=20476&
Read more

How to find SQL Server Replication related jobs and T-SQL statements

-
Image
Verbose log is heavily used   in replication troubleshooting. You need to find the right job to enable to verbose log. However, it's not easy to find the   jobs when you have hundreds replication jobs in one server.     Here is how: 1.Distribution agent Following queries list all the distribution agent jobs, including push subscriptions and pull subscriptions. (You may need add more clause to customize your queries). By default, the SQL Server agent job names equal to the agent names for push subscription, unless you explicitly modify the job names. use distribution---in distributor server if not exists(select 1 from sys.tables where name ='MSreplservers') begin select job.name JobName,a.name AgentName, a.publisher_db,a.publication as publicationName,sp.name as publisherName ,ss.name as subscriber,a.subscriber_db, a.local_job From MSdistribution_agents a inner join sys.servers sp on a.publisher_id=sp.server_id--publisher inner join sys.servers ss on a.s
Read more

SQL Server Extents, PFS, GAM, SGAM and IAM and related corruptions

-
Image
  I’m going to start a series of posts talking about SQL Server allocation pages and corruption. Each post will have samples showing how SQL Server use these pages and scenarios of corruption. The first post will talk about the Extents, PFS, GAM, SGAM and IAM and related corruptions, you can find all concepts from following two pages: Pages and Extents Architecture Guide Under the covers: GAM, SGAM, and PFS pages   As there are many concepts and samples, I’m going to discuss the topics in two or three posts.   1.Extents Extents are the basic unit in which space is managed. An extent is eight physically contiguous pages, or 64 KB. This means SQL Server databases have 16 extents per megabyte. SQL Server has two types of extents: ·          Uniform  extents are owned by a single object; all eight pages in the extent can only be used by the owning object. ·          Mixed  extents are shared by up to eight objects. Each of the eight pages in the extent can be owned by
Read more

Tutorial: Add a node to SQL cluster on RHEL

-
Image
  In t his video , I demonstrated how to create a two nodes SQL Cluster instance.   I’m going to show you how to add another node to existing SQL Cluster.   Topology   1.ISCSI target server configuration   1.Add the new node (node3) to the ACLs list. This is the existing setting.     Here are the commands I used.   2. Enable and restart the target service. systemctl enable target.service systemctl restart target.service   2.ISCSI initiator configuration.   Configure ISCSI initiator in the new node (node3)   1.Install iscsi-initiator-utils   in all nodes. sudo yum install iscsi-initiator-utils -y   2.Edit the /etc/iscsi/initiatorname.iscsi , replace the existing value with following keywords, the one I used in step 4 of section[ISCSI target server configuration] InitiatorName=iqn.2020-08.com.contoso:node3             3.Discover iSCSI disk of the target. iscsiadm -m discovery -t st -p <ip of iscsi target server>
Read more

You may fail to backup log or restore log after TDE certification/key rotation

-
Image
  When TDE is enabled, all the records written to transaction log files are encrypted as well. During the TDE certification/key rotation, these log records are not touched. On changing certificate/keys, the current active VLF file, which is encrypted by old key, will be closed. New log records will be encrypted by new key and write to next available VLF or a new created VLF. At this stage, the transaction log file has both log records encrypted by old certificate, and the log records encrypted by new certificate. When you do the log backup, the log records that have been encrypted by old certificate, may be decrypted and then encrypted by new certificate to the backup file, or just be flushed to the backup file without doing any decryption/encryption, depending on how you run the log backup. This behavior may cause two different issues if the old certificate is removed. 1. When you do log backup with ‘COMPRESSION+MAXTRANSFERSIZE’ combination , SQL Server will decrypt records, which was
Read more

SQL Server GAM corruption samples

-
Image
In previous post , we discussed the PFS, GAM and SGAM pages. Today, I’m going show you two related corruptions on these pages.   SQL Server checks the bit in PFS, GAM, SGAM and IAM are checked when new pages are allocated. It guarantees that it does not store data to a wrong page/extent. These pages are crucial to SQL Server, SQL Server considers it as a corruption if they are messed up. I’m going to use the same database I used in previous article . You may restore the   backup  f ile and give it a try. Please note, restoring database will consume some pages and change the PFS, GAM, SGAM and IAM. You may get a different view from my mine.   Let me show you some of the content of GAM and SGAM before the corruption samples. Here are the GAM and SGAM page result: 1.GAM 2.SGAM 3.We can tell that the extent of page(1:352) and extents greater than that have not been allocated. 4.Let’s take a dive into the GAM page. 5.‘ 00000000 00f0 ’ interpretation: 5)Pa
Read more