Home Library Learn Samples Downloads Support Community Forums
MSDN Library
Servers and Enterprise Development
SQL Server
SQL Server 2012
Product Documentation
Books Online for SQL Server 2012
Database Engine
Transact-SQL Reference (Database Engine)
Data Definition Language (DDL) Statements (Transact-SQL)
CREATE Statements (Transact-SQL)
CREATE AGGREGATE (Transact-SQL)
CREATE APPLICATION ROLE (Transact-SQL)
CREATE ASSEMBLY (Transact-SQL)
CREATE ASYMMETRIC KEY (Transact-SQL)
CREATE AVAILABILITY GROUP (Transact-SQL)
CREATE BROKER PRIORITY (Transact-SQL)
CREATE CERTIFICATE (Transact-SQL)
CREATE COLUMNSTORE INDEX (Transact-SQL)
CREATE CONTRACT (Transact-SQL)
CREATE CREDENTIAL (Transact-SQL)
CREATE CRYPTOGRAPHIC PROVIDER (Transact-SQL)
CREATE DATABASE (Transact-SQL)
CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL)
CREATE DATABASE ENCRYPTION KEY (Transact-SQL)
CREATE DEFAULT (Transact-SQL)
CREATE ENDPOINT (Transact-SQL)
CREATE EVENT NOTIFICATION (Transact-SQL)
CREATE EVENT SESSION (Transact-SQL)
CREATE FULLTEXT CATALOG (Transact-SQL)
CREATE FULLTEXT INDEX (Transact-SQL)
CREATE FULLTEXT STOPLIST (Transact-SQL)
CREATE FUNCTION (Transact-SQL)
CREATE INDEX (Transact-SQL)
CREATE LOGIN (Transact-SQL)
CREATE MASTER KEY (Transact-SQL)
CREATE MESSAGE TYPE (Transact-SQL)
CREATE PARTITION FUNCTION (Transact-SQL)
CREATE PARTITION SCHEME (Transact-SQL)
CREATE PROCEDURE (Transact-SQL)
CREATE QUEUE (Transact-SQL)
CREATE REMOTE SERVICE BINDING (Transact-SQL)
CREATE RESOURCE POOL (Transact-SQL)
CREATE ROLE (Transact-SQL)
CREATE ROUTE (Transact-SQL)
CREATE RULE (Transact-SQL)
CREATE SCHEMA (Transact-SQL)
CREATE SEARCH PROPERTY LIST (Transact-SQL)
CREATE SEQUENCE (Transact-SQL)
CREATE SERVER AUDIT (Transact-SQL)
CREATE SERVER AUDIT SPECIFICATION (Transact-SQL)
CREATE SERVER ROLE (Transact-SQL)
CREATE SERVICE (Transact-SQL)
CREATE SPATIAL INDEX (Transact-SQL)
CREATE STATISTICS (Transact-SQL)
CREATE SYMMETRIC KEY (Transact-SQL)
CREATE SYNONYM (Transact-SQL)
CREATE TABLE (Transact-SQL)
CREATE TRIGGER (Transact-SQL)
CREATE TYPE (Transact-SQL)
CREATE USER (Transact-SQL)
CREATE VIEW (Transact-SQL)
CREATE WORKLOAD GROUP (Transact-SQL)
CREATE XML INDEX (Transact-SQL)
CREATE XML SCHEMA COLLECTION (Transact-SQL)
Expand Minimize
2 out of 2 rated this helpful - Rate this topic

CREATE DATABASE ENCRYPTION KEY (Transact-SQL)

SQL Server 2012

Creates an encryption key that is used for transparently encrypting a database. For more information about transparent database encryption, see Transparent Data Encryption (TDE).

Topic link icon Transact-SQL Syntax Conventions

Copy 
CREATE DATABASE ENCRYPTION KEY
       WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }
   ENCRYPTION BY SERVER 
    {
        CERTIFICATE Encryptor_Name |
        ASYMMETRIC KEY Encryptor_Name
    }
[ ; ]
WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }

Specifies the encryption algorithm that is used for the encryption key.

ENCRYPTION BY SERVER CERTIFICATE Encryptor_Name

Specifies the name of the encryptor used to encrypt the database encryption key.

ENCRYPTION BY SERVER ASYMMETRIC KEY Encryptor_Name

Specifies the name of the asymmetric key used to encrypt the database encryption key. In order to encrypt the database encryption key with an asymmetric key, the asymmetric key must reside on an extensible key management provider.

A database encryption key is required before a database can be encrypted by using Transparent Database Encryption (TDE). When a database is transparently encrypted, the whole database is encrypted at the file level, without any special code modifications. The certificate or asymmetric key that is used to encrypt the database encryption key must be located in the master system database.

Database encryption statements are allowed only on user databases.

The database encryption key cannot be exported from the database. It is available only to the system, to users who have debugging permissions on the server, and to users who have access to the certificates that encrypt and decrypt the database encryption key.

The database encryption key does not have to be regenerated when a database owner (dbo) is changed.

Requires CONTROL permission on the database and VIEW DEFINITION permission on the certificate or asymmetric key that is used to encrypt the database encryption key.

For additional examples using TDE, see Transparent Data Encryption (TDE) and Enable TDE Using EKM.

The following example creates a database encryption key by using the AES_256 algorithm, and protects the private key with a certificate named MyServerCert.

Copy 
USE AdventureWorks2012;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;
GO
Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.
|
Site Feedback
© 2013 Microsoft. All rights reserved.