执行此操作前,请在数据库中创建主密钥或在会话中打开主密钥

Please create a master key in the database or open the master key in the session before performing this operation

尝试恢复加密备份时,我在辅助副本上收到以下错误,即使副本具有从 originating/primary 服务器恢复的主密钥 (dmk)、服务主密钥、证书和私钥生成了备份。

Msg 15581, Level 16, State 7, Line 137
Please create a master key in the database or open the master key in the session before performing this operation.
Msg 3013, Level 16, State 1, Line 137
VERIFY DATABASE is terminating abnormally.

为了避免错误,我打开和关闭主键围绕这样的操作。但是,在主密钥上,我不需要打开和关闭主密钥来进行操作。

OPEN MASTER KEY DECRYPTION BY PASSWORD = 'MyTest!M4st3rPass';
RESTORE VERIFYONLY FROM DISK = '\FS1\SqlBackups\SQL01\SystemDbs\msdb_backup_2017_09_22_171915_6346240.bak' WITH FILE = 1, NOUNLOAD, NOREWIND;
CLOSE MASTER KEY ;

我相信这是因为主节点具有带加密指纹的备份历史记录,但我想知道我是否遗漏了与辅助节点相关的其他内容。

然而,毕竟,由于证书是在辅助节点上恢复的,我将其分配给备份加密的 SystemsDB 备份维护计划选项,但如果我出于同样的原因选中验证选项,则作业失败。

Source: Back Up Database Task
Executing query "BACKUP DATABASE [master] TO  DISK = N'\FS1\SqlBac...".: 50% complete
End Progress  
Error: 2017-09-22 17:08:09.28
Code: 0xC002F210
Source: Back Up Database Task Execute SQL Task
**Description**: Executing the query "declare @backupSetId as int  select @backupSetId =..." 
failed with the following error: "Please create a master key in the database or open the master key in the session before performing this operation.
VERIFY DATABASE is terminating abnormally.".
Possible failure reasons: Problems with the query, "ResultSet" property not set correctly, parameters not set correctly, or connection not established correctly.
End Error 

我不确定这是否正是您要查找的内容,但 OPEN MASTER KEY 的评论似乎与此相关。

你会 100% 想要测试这个而不是在生产中,但似乎一旦主密钥被打开,你可以选择不要求使用 ALTER MASTER KEY REGENERATE 命令。

If the database master key was encrypted with the service master key, it will be automatically opened when it is needed for decryption or encryption. In this case, it is not necessary to use the OPEN MASTER KEY statement.

When a database is first attached or restored to a new instance of SQL Server, a copy of the database master key (encrypted by the service master key) is not yet stored in the server.

You must use the OPEN MASTER KEY statement to decrypt the database master key (DMK). Once the DMK has been decrypted, you have the option of enabling automatic decryption in the future by using the ALTER MASTER KEY REGENERATE statement to provision the server with a copy of the DMK, encrypted with the service master key (SMK).

When a database has been upgraded from an earlier version, the DMK should be regenerated to use the newer AES algorithm. For more information about regenerating the DMK, see ALTER MASTER KEY (Transact-SQL). The time required to regenerate the DMK key to upgrade to AES depends upon the number of objects protected by the DMK. Regenerating the DMK key to upgrade to AES is only necessary once, and has no impact on future regenerations as part of a key rotation strategy.

https://docs.microsoft.com/en-us/sql/t-sql/statements/open-master-key-transact-sql

已修复。

引用:https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/sql-server-and-database-encryption-keys-database-engine

这段送人:

The copy of the DMK stored in the master system database is silently updated whenever the DMK is changed. However, this default can be changed by using the DROP ENCRYPTION BY SERVICE MASTER KEY option of the ALTER MASTER KEY statement. A DMK that is not encrypted by the service master key must be opened by using the OPEN MASTER KEY statement and a password.

运行 我的辅助节点上的以下内容。

  1. 放弃证书...
  2. 删除主密钥
  3. 创建主密钥...
  4. 从文件创建证书...

检查后得出解决方案。

--on primary, output: master 
select name from sys.databases where is_master_key_encrypted_by_server=1

--on secondary, output: nothing...
select name from sys.databases where is_master_key_encrypted_by_server=1

所以我想如果我可以让服务主密钥默认加密主密钥,那么这将自动解密。

--on secondary
drop certificate [BackupCertWithPK]
drop master key

--Skipped restore master key from file.
--Instead, I ran create master key with password.
create master key encryption by password = 'MyTest!Mast3rP4ss';

--verify by open/close.
open master key decryption by password = 'MyTest!Mast3rP4ss';
close master key;

--proceed to restore/create cert from file.
create cerfiticate [BackupCertWithPK] 
from file = '\FS1\SqlBackups\SQL1\Donot_delete_SQL1-Primary_BackupCertWithPK.cer' 
with private key (file = '\FS1\SqlBackups\SQL1\Donot_delete_SQL1-Primary_BackupCertWithPK.key' , decryption by password = 'key_Test!prim@ryP4ss') ; 

在此之后 运行 再次 select。

--on secondary, output: master, now there was hope again!
select name from sys.databases where is_master_key_encrypted_by_server=1

最后,我重新运行我的备份作业,并成功设置了验证和加密选项。验证步骤没有失败,也没有提示 open/close 主密钥。

以下简单地按预期工作,不需要 open/close 主密钥。

RESTORE VERIFYONLY FROM DISK = '\FS1\SqlBackups\SQL01\SystemDbs\msdb_backup_2017_09_22_171915_6346240.bak' WITH FILE = 1, NOUNLOAD, NOREWIND;

哇哦!任务完成。

我遇到了同样的情况,但我没有重新创建 MDK,而是 运行 以下内容来解决问题: 更改主密钥通过服务主密钥添加加密