Use encrypted SQL Server backup files

Database Migration Service is fully compatible with encrypted SQL Server backups. You can upload your encryption key to Google Cloud so that Database Migration Service can safely decrypt your data and load it to the Cloud SQL for SQL Server destination instance without compromising your data security.

If you want to use encrypted backup files, you must encrypt every backup file (full, differential, transaction log) you use for a specific database included in your migration. That is, if you want to encrypt your full backup file, then you must also encrypt the differential backup file and the transaction log files you use for that database. All backup files must be encrypted with the same key.

Backup encryption is evaluated per database. For example, if you migrate two databases from your source SQL Server instance: my-business-database and my-other-database, you can use encrypted backups independently for my-business-database, or my-other-database, or both databases.

To use encrypted backups for your migration, perform the following steps:

1. Take the backup of your source SQL Server instance and use the encryption features. Save your encryption keys in a safe location to upload them later to Cloud Storage. See Backup encryption in Microsoft documentation.

2. Upload the encryption keys to a Cloud Storage bucket.

3. Google Cloud CLI only: Create a mapping file in the JSON format to match the encryption keys with their relevant databases included in your migration job. The mapping file is an array of objects that each represent mappings for a single database. Example configuration file:

   [
   {
     "database": "db1",
     "encryptionOptions": {
       "certPath": "Path to certificate 1",
       "pvkPath": "Path to certificate private key 1",
       "pvkPassword": "Private key password 1"
     }
   },
   {
     "database": "db2",
     "encryptionOptions": {
       "certPath": "Path to certificate 2",
       "pvkPath": "Path to certificate private key 2",
       "pvkPassword": "Private key password 2"
     }
   }
   ]
   

   Where:

   • database is your database identifier. That identifier must match the database folder names in your Cloud Storage.
   • certPath, pvkPath and pvkPassword are Cloud Storage paths to the certificate files in the format gs://BUCKET_NAME/OBJECT_NAME. For example: gs://my-bucket-name/certificate-folder/certificate-key-file1. For more information, see Object namespaces in the Cloud Storage documentation.

4. Provide the Cloud Storage paths to your encryption keys when you create the migration job.

5. When you create more backup files (the differential backup file or transaction log files), make sure you encrypt then with the same encryption key you used for the full backup.