![Backup service master key](https://cdn2.cdnme.se/5447227/9-3/23_64e61dfde087c337bd195b74.jpg)
![backup service master key backup service master key](http://2.bp.blogspot.com/-TWcn9X_frNM/USmV9iyLL4I/AAAAAAAAAi4/OIVoNBW36fc/s1600/handy-backup-license-key-free-fullversion-download.jpg)
When you backed up the certificate using the option WITH PRIVATE KEY you added to the backup the actual key used to encrypt things referenced by that certificate. How does it let you proceed even with a different password for the master key?
![backup service master key backup service master key](https://i.ytimg.com/vi/MzB866tlkWk/hqdefault.jpg)
You can check sys.certificates to see that information as well: SELECT name, pvt_key_encryption_type_desc, pvt_key_last_backup_date Keys of certificates and asymmetric keys that are present in the The database master key is a symmetric key used to protect the private To be more precise, the certificate private key is the one encrypted by the master key and you can see that under the Remarks section of the CREATE MASTER KEY doc: Isn't the certificate encrypted by the master key? So this also eliminates the possibility that it lets me restore the encrypted DB (even with a different master key) due to the master key being encrypted (and hence "recognised") by the service master key - since on the other instance the service master key should be different.
![backup service master key backup service master key](https://www.vcloudnine.de/wp-content/uploads/2016/08/vrrp_owner_master_backup.png)
I also tried to restore this DB on another instance (after creating a new master key with a different password and after restoring the certificate as per above) and it still allowed me to restore this DB. Isn't the certificate encrypted by the master key? If so, how does it let you proceed even with a different password for the master key? Also if this is the case, why do we need to backup the master key? When we can just create a new one with a different password and all works well. 'newpassword123!' instead of 'test123!', it will still let you restore the certificate and the DB. My issue is that even if you provide a different password than what you originally used to create the master key (e.g. So I create the master key, restore the certificate from the certificate backup that was taken above and then it lets me restore the DB successfully. Then I take a DB backup using this certificate, delete the DB, certificate and the master key and try to restore the DB which is not possible (I do understand this). I backup this certificate as follows: BACKUP CERTIFICATE CertName TO FILE = 'C:\SQL2019\certbk.cert' Then I create a certificate as follows: CREATE CERTIFICATE CertName I'm trying to understand backup encryption and I have created a master key (in the master DB) and used a password as follows: USE master ĬREATE MASTER KEY ENCRYPTION BY PASSWORD = 'test123!'
![Backup service master key](https://cdn2.cdnme.se/5447227/9-3/23_64e61dfde087c337bd195b74.jpg)