Encrypting a Database with Encryption Certificates

Attention: Breaking changes related to the databases encrypted with certificates: Backups produced by DbDefence v9.3.1.0 and higher can't be restored on an older version of DbDefence. Backups produced by an older version can be restored with the new version.

DbDefence can use installed certificates to encrypt databases. The benefit of this method is that you can install a certificate in Windows system storage, and by default this certificate is not exportable. This will ensure your database copy is protected. Nobody will be able to copy the database to the server without an installed certificate. Usually certificates are a part of corporate infrastructure and issued by authorities. If you do not have a real certificate, you may use a "self-signed" certificate generated for free here: https://getacert.com/selfsignedcert.html.

Fill in the information (maybe just for fun), choose RSA 1024 or higher, enter the pass phrase and remember it. After clicking "Generate", download the resulting file called "Personal Information Exchange PKCS#12" at the bottom.

To install the resulting certificate, start mmc.exe, in its File menu select "Add / Remove Snap-In..." It will display installed snap-ins.

Select the snap-in called Certificates and click Add. Several additional dialogs will then be displayed. Choose "Computer Account," Local Computer on the next page and then Finish.

Import the downloaded certificate file. At this stage, you will be asked for a password to generate the certificate.

If everything goes ok, you will see a newly added certificate. Now, when you encrypt the database with Encryptor, go to the Change Options dialog and try to add your newly added certificate. It should appear amongst several others or on its own.

Try to encrypt the database now. Before applying the certificate, Encryptor will try to check whether the currently selected SQL server has permissions to make encryption/decryption operations. If it can't be used, you will get an error message telling you. If you did everything properly and set up the certificate into the Local Computer storage, you then need to setup permissions on the private key.

Allow the key to be used by the SQL Server service account. Encryption should proceed after setting appropriate permissions.
A SQL server with DbDefence but without an installed certificate will not be able to attach the database. It will fail with an Access Denied error.

Certificate rotation

You may change the encryption certificate without re-encryption by using the function dbd-change-cert