The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.
An XCCDF Rule
Description
<VulnDiscussion>Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-213913r961128_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.
BACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file'
WITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password');
As this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text.