SQL Server 2019企业-高可用性与主密钥

您可以尝试在主服务器上创建证书，在备份服务器上创建证书，并在辅助服务器上还原证书。

这段代码来自我的repo，是为使用docker创建的AlwaysOn演示而创建的。

-- PRIMARY
USE [master]
GO
-- Create masterkey
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@ssw0rd!';
GO
-- Create certificate
CREATE CERTIFICATE ao_certificate WITH SUBJECT = 'ao_certificate';
GO
BACKUP CERTIFICATE ao_certificate
TO FILE = '/var/opt/mssql/shared/ao_certificate.cert'
WITH PRIVATE KEY (
FILE = '/var/opt/mssql/shared/ao_certificate.key',
ENCRYPTION BY PASSWORD = 'P@ssw0rd!'
);
GO

二级

-- SECONDARY
USE [master]
GO
-- Create master key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@ssw0rd!';
GO
-- create certificate with private key created on primary server and saved to shared location
CREATE CERTIFICATE ao_certificate
FROM FILE = '/var/opt/mssql/shared/ao_certificate.cert'
WITH PRIVATE KEY (
FILE = '/var/opt/mssql/shared/ao_certificate.key',
DECRYPTION BY PASSWORD = 'P@ssw0rd!'
)
GO

是的，修复相对简单。从辅助副本获取服务主密钥(SMK)的备份，并将其恢复到主副本。这将使用恢复的SMK重新加密已经用现有SMK加密过的任何内容。由于两个副本之间的SMK现在是相同的，因此故障转移将是无缝的。

从次要到主的方向的原因是重新加密执行写(虽然不是很多)到用户数据库，这只允许在主副本上。

我团队的一位同事找到了一个更好的解决方案。

1. 在主数据库上，我将使用创建数据库时使用的加密密码将DBS1备份为主密钥:

   BACKUP SERVICE MASTER KEY TO FILE = 'D:Backupdbs1_service_master_key.key' ENCRYPTION BY PASSWORD = 'Wh@t3v3r_P@$$w0rd';
   

2. 在HA上将备用DB提升为主DB(故障转移)，这样您就可以运行下面的脚本:

   USE [YOURDATABASE]
   GO
   open master key decryption by password = 'Wh@t3v3r_P@$$w0rd'
   Alter Master Key Add encryption by Service Master Key
   GO
   

3. 复制备份在主DBS1上的服务主密钥，并复制到DBS2上的某个位置。仍然在"二级"上。现在在HA组上为主的DBS，恢复证书:

   RESTORE SERVICE MASTER KEY FROM FILE = 'D:Backupdbs1_service_master_key.key' DECRYPTION BY PASSWORD = 'Wh@t3v3r_P@$$w0rd';