SQLSERVER2012透明加密（TDE ）问题

最近需要用到加密功能，找到了TDE，生成证书才发现安装的SQL版本不是企业版，目前似乎只有SQL2008以上的企业版才支持，可以升级吗，试了下自动升级，OK 提示成功，再安装依然提示版本不对select @@version 才发现版本没有变。 重装吧，找到控制面板卸载2012

最近需要用到加密功能，找到了TDE，生成证书才发现安装的SQL版本不是企业版，目前似乎只有SQL2008以上的企业版才支持，可以升级吗，试了下自动升级，OK 提示成功，再安装依然提示版本不对select @@version 才发现版本没有变。

重装吧，找到控制面板卸载2012 ，奇怪竟然卸载不了了。我把sql组建都卸载了 可以数据库依然能用，怪哉，是升级的原因？ 

重做系统吧

等待中........

系统做好 先安装SQL2012 企业版

OK 这下可以生成证书了，加密也顺利成功，下面的是加密过程

<span>USE</span><span> master;
</span><span>GO</span>
<span>--</span><span>查看master数据库是否被加密</span><span>
--</span><span>SELECT name,is_master_key_encrypted_by_server FROM sys.databases; --1表示加密</span><span>
--</span><span>每一个数据库只能有一个数据库主密钥</span><span>
--</span><span>删除旧的密钥证书</span>
<span>drop</span><span> CERTIFICATE MyServerCert
</span><span>Drop</span> master <span>Key</span> 
<span>GO</span>
<span>--</span><span>在master数据库中创建一个master key</span>
<span>CREATE</span> MASTER <span>KEY</span> ENCRYPTION <span>BY</span> PASSWORD <span>=</span> <span>'</span><span>P@ssw0rd</span><span>'</span><span>;
</span><span>--</span><span>查看master数据库下的密钥信息</span><span>
--</span><span>SELECT * FROM sys.symmetric_keys</span><span>
--</span><span>创建证书用来保护 数据库加密密钥 (DEK)</span>
<span>CREATE</span> CERTIFICATE MyServerCert <span>WITH</span> SUBJECT <span>=</span> <span>'</span><span>My DEK Certificate</span><span>'</span><span>;

</span><span>--</span><span>IF DB_ID('TDEDemo') IS NOT NULL</span><span>
--</span><span> DROP DATABASE TDEDemo</span>
<span>go</span>
<span>USE</span><span> demo1
</span><span>GO</span> 
<span>--</span><span>创建数据库加密key，使用MyServerCert这个证书加密</span><span>
--</span><span>Drop DATABASE ENCRYPTION KEY</span>
<span>CREATE</span> <span>DATABASE</span> ENCRYPTION <span>KEY</span>
<span>WITH</span> ALGORITHM <span>=</span><span> AES_256
ENCRYPTION </span><span>BY</span><span> SERVER CERTIFICATE MyServerCert
</span><span>go</span>
<span>--</span><span>执行上语句以后出现：</span><span>
/*</span><span>
Warning: The certificate used for encrypting the database encryption key has not been backed up. 
You should immediately back up the certificate and the private key associated with the certificate. 
If the certificate ever becomes unavailable or if you must restore or attach the database on another server, 
you must have backups of both the certificate and the private key or you will not be able to open the database.
</span><span>*/</span>
<span>/*</span><span>
警告: 用于对数据库加密密钥进行加密的证书尚未备份。应当立即备份该证书以及与该证书关联的私钥。
如果该证书不可用，或者您必须在另一台服务器上还原或附加数据库，则必须对该证书和私钥均进行备份，否则将无法打开该数据库。
</span><span>*/</span>

<span>--</span><span>提示你，立刻备份证书;这里备份证书,不比制定加密私钥的对称密钥了.因为他的密钥是通过master数据库的主数据库密钥加密了.</span><span>
--</span><span>相应的，我们备份一下数据库主密钥(master)</span>

<span>USE</span><span> master;
</span><span>GO</span>
<span>--</span><span>如果没有启用主密钥的自动解密功能</span><span>
--</span><span>OPEN MASTER KEY DECRYPTION BY PASSWORD ='P@ssw0rd';</span>
<span>BACKUP</span> MASTER <span>KEY</span> <span>TO</span> <span>FILE</span><span>=</span><span>'</span><span>D:\Cers\master_key</span><span>'</span> ENCRYPTION <span>BY</span> PASSWORD<span>=</span>N<span>'</span><span>P@ssw0rd</span><span>'</span><span>--</span><span>备份主数据库密钥DMK</span>
<span>BACKUP</span> CERTIFICATE MyServerCert <span>TO</span> <span>FILE</span> <span>=</span> <span>'</span><span>D:\Cers\master_cer</span><span>'</span> <span>--</span><span>备份数据库证书</span>
    <span>WITH</span> PRIVATE <span>KEY</span><span> ( 
    </span><span>FILE</span> <span>=</span> <span>'</span><span>D:\Cers\master_cert.pvk</span><span>'</span> , <span>--</span><span>自动生成pvk</span>
    ENCRYPTION <span>BY</span> PASSWORD <span>=</span> <span>'</span><span>P@ssw0rd</span><span>'</span><span> );
</span><span>GO</span> 

<span>--</span><span>生产环境下，设置成单用户在运行加密</span><span>
--</span><span>ALTER DATABASE dbname SET SINGLE_USER WITH ROLLBACK IMMEDIATE;</span>
<span>USE</span><span> master
</span><span>GO</span>
<span>BACKUP</span> <span>DATABASE</span> demo1 <span>TO</span> <span>DISK</span><span>=</span>N<span>'</span><span>D:\demo1.bak</span><span>'</span> 

<span>/*</span><span>
经测试 OFF ON 有时会提示失败
消息 33122，级别 16，状态 1，第 1 行
此命令要求数据库 'TDEDemo' 上有数据库加密扫描。但是，自上次挂起日志备份的加密扫描以来，数据库已经更改。请提取一个日志备份，然后重试该命令。
消息 5069，级别 16，状态 1，第 1 行
ALTER DATABASE 语句失败。
</span><span>*/</span>
<span>--</span><span>查看数据库是否被加密  encryption_state:3 TDE加密了</span>
<span>SELECT</span> <span>DB_NAME</span>(database_id) <span>as</span> dbname,encryption_state <span>FROM</span><span> sys.dm_database_encryption_keys;

</span><span>--</span><span>备份成功以后，开启TDE 加密 </span>
<span>ALTER</span> <span>DATABASE</span> demo1 <span>SET</span> ENCRYPTION <span>ON</span>
<span>--</span><span>关闭TDE 加密</span>
<span>ALTER</span> <span>DATABASE</span> demo1 <span>SET</span> ENCRYPTION <span>OFF</span><span>;

</span><span>--</span><span>设置多用户访问</span><span>
--</span><span>ALTER DATABASE dbname SET MULTI_USER WITH ROLLBACK IMMEDIATE;</span>
<span>GO</span>

奇怪的是 我多次开启TDE ON OFF  后过一阵子会出现下列错误，出现该错误后 无法开启或关闭TDE，重建数据库才好，不知道是什么原因

<span>消息 <span>33122</span>，级别 <span>16</span>，状态 <span>2</span>，第 <span>1</span> 行
此命令要求数据库 'demo1' 上有数据库加密扫描。但是，自上次挂起日志备份的加密扫描以来，数据库已经更改。请提取一个日志备份，然后重试该命令。
消息 <span>5069</span>，级别 <span>16</span>，状态 <span>1</span>，第 <span>1</span> 行
ALTER DATABASE 语句失败。</span>

加密以后是还原的问题，如果服务器出现问题 还原到其他机器是经常用到的，经测试发现还原到非企业版是无法正常使用的，也就是必须是企业版才能支持被TDE保护的数据库（不知道理解的对不对），以下是还原代码

<span>USE</span><span> master;
</span><span>go</span>
<span>--</span><span>查看master数据库是否被加密</span><span>
--</span><span>SELECT name,is_master_key_encrypted_by_server FROM sys.databases; --1表示加密</span><span>
--</span><span>GO</span><span>
--</span><span>如果存在删除master数据库下的主数据库密钥</span><span>
--</span><span>DROP MASTER KEY;</span><span>
/*</span><span>*
--网上有说用该方法恢复主密钥的 但经测试该方法 无法正常的恢复主密钥 不知道是否我的版本问题 测试版本SQL2012 企业版
RESTORE MASTER KEY 
FROM FILE = 'D:\Cers\master_key' 
DECRYPTION BY PASSWORD = 'P@ssw0rd' 
ENCRYPTION BY PASSWORD = 'P@ssw0rd';
*</span><span>*/</span>
<span>CREATE</span> MASTER <span>KEY</span> ENCRYPTION <span>BY</span> PASSWORD <span>=</span> <span>'</span><span>P@ssw0rd</span><span>'</span>;<span>--</span><span>创建主密钥 可以和要恢复的不同 </span>
<span>GO</span>
<span>--</span><span>创建证书</span><span>
--</span><span>drop CERTIFICATE MyServerCert</span>
<span>CREATE</span><span> CERTIFICATE MyServerCert 
    </span><span>FROM</span> <span>FILE</span> <span>=</span> <span>'</span><span>D:\Cers\master_cer</span><span>'</span> 
    <span>WITH</span> PRIVATE <span>KEY</span> (<span>FILE</span> <span>=</span> <span>'</span><span>D:\Cers\master_cert.pvk</span><span>'</span><span>, 
    DECRYPTION </span><span>BY</span> PASSWORD <span>=</span> <span>'</span><span>P@ssw0rd</span><span>'</span>);<span>--</span><span>和要恢复的密钥相同PWD 其他文件要保持路径一致</span>
<span>GO</span> 

<span>--</span><span>-数据库还原操作</span><span>
--</span><span>如果数据库逻辑文件名无法确定可以使用下面的语句进行查看那</span><span>
--</span><span>restore filelistonly from DISK=N'D:\Cers\Demo1.bak'</span><span>
--</span><span>如果物理路径不一致可以使用move语句进行修改</span>
<span>RESTORE</span> <span>DATABASE</span><span> demo
</span><span>FROM</span> <span>DISK</span><span>=</span>N<span>'</span><span>D:\Cers\Demo1.bak</span><span>'</span>
<span>with</span> move <span>'</span><span>demo1</span><span>'</span>     <span>to</span> <span>'</span><span>d:\data\demo.mdf</span><span>'</span><span>
    ,move </span><span>'</span><span>demo1_log</span><span>'</span> <span>to</span> <span>'</span><span>d:\data\demo.ldf</span><span>'</span>
<span>GO</span>

还原到商业版提示如下

有知道解决办法的，欢迎留言 感激不尽