Database Migration Service is fully compatible with encrypted SQL Server backups. You can upload your encryption key to Google Cloud so that Database Migration Service can safely decrypt your data and load it to the Cloud SQL for SQL Server destination instance without compromising your data security.
To use encrypted backups for your migration, perform the following steps:
Take the full backup of your source SQL Server instance and use the encryption features. Save your encryption keys in a safe location to upload them later to Cloud Storage.
See Backup encryption in Microsoft documentation.
Upload the encryption keys to a Cloud Storage bucket.
Google Cloud CLI only: Create a mapping file in the JSON format to match the encryption keys with their relevant databases included in your migration job. The mapping file is an array of objects that each represent mappings for a single database. Example configuration file:
[ { "database": "db1", "encryptionOptions": { "certPath": "Path to certificate 1", "pvkPath": "Path to certificate private key 1", "pvkPassword": "Private key password 1" } }, { "database": "db2", "encryptionOptions": { "certPath": "Path to certificate 2", "pvkPath": "Path to certificate private key 2", "pvkPassword": "Private key password 2" } } ]Where:
databaseis your database identifier. That identifier must match the database folder names in your Cloud Storage.certPath,pvkPathandpvkPasswordare Cloud Storage paths to the certificate files in the formatgs://BUCKET_NAME/OBJECT_NAME. For example:gs://my-bucket-name/certificate-folder/certificate-key-file1. For more information, see Object namespaces in the Cloud Storage documentation.
Provide the Cloud Storage paths to your encryption keys when you create the migration job.