SQL Server Performance, DBA Best Practices & Enterprise Data Solutions | MyTechMantra
FacebookXPinterestEmailGoogle+LinkedInWhatsApp
DBADisaster RecoverySQL Server

Database Backup Encryption in SQL Server 2014 a Step by Step Implementation Guide

Ashish Kumar Mehta
6 min read

This is Page 2 of Database Backup Encryption in SQL Server 2014 a Step by Step Implementation Guide click here to read from the beginning.

Backup Database Using Encryption Feature of SQL Server 2014

Now that you have completed the prerequisites such as Database Master Key and Backup Certificate you can go ahead and create the encrypted database backups in SQL Server 2014. 

/* Execute the below TSQL code to create encrypted database backup in SQL Server 2014 */

BACKUP DATABASE [HumanResource]
TO DISK = N'X:\Backups\HumanResource_Encrypted.bak'
WITH
COMPRESSION,
ENCRYPTION
(
ALGORITHM = AES_256,
SERVER CERTIFICATE = BackupEncryptionCert
),
STATS = 5
GO

Once the above TSQL script is executed successfully the backup file will be Encrypted. Learn more about Database Compression Feature.

How to Restore an Encrypted Backup on the Same Instance

Execute the below script to restore encrypted backup of the database on the same instance of SQL Server 2014. 

RESTORE DATABASE [HumanResource]
FROM DISK = N'X:\Backups\HumanResource_Encrypted.bak'
WITH REPLACE, RECOVERY


How to restore Encrypted Backup on Different Instance of SQL Server were Certificate is not present

You will receive the below mentioned error message received while restoring encrypted database on the destination server when certificate is not found.

Error Message

Msg 33111, Level 16, State 3, Line 2
Cannot find server certificate with thumbprint ''.
Msg 3013, Level 16, State 1, Line 2
RESTORE DATABASE is terminating abnormally.

In such scenarios you need to Restore Master Key and Certificate on Destination Server. Read the steps mentioned below to restore master key and certificate on another server.



How to Restore Master Key and Certificate on Destination Server

Execute the below script to create master key on the destination server. 

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'C&mpl£xP@$$Wrd';

Execute the below script to create backup certificate on the destination server. 

CREATE CERTIFICATE BackupEncryptionCert
FROM FILE = 'X:\BackupCertificates\BackupEncryptionCert.bak'
WITH PRIVATE KEY (FILE = 'X:\BackupCertificates\BackupEncryptionCertKey.bak',
DECRYPTION BY PASSWORD = 'Certi%yC&mpl£xP@$$Wrd');

Once the Master Key and Certificate is created on Destination Server execute the restore database script. 

RESTORE DATABASE [HumanResource]
FROM DISK = N'X:\Backups\HumanResource_Encrypted.bak'
WITH REPLACE, RECOVERY


Conclusion

As a DBA you must importantly back up the certificate or asymmetric key, preferably to a different location than the backup file it was used to encrypt. Without the certificate or asymmetric key, you will not be able to restore the backup, resulting in a non-usable database backup file. Hence before implementing this feature on a Production database test it thoroughly and document all the TSQL scripts in a Source Control.

1 2

Ashish Kumar Mehta

Ashish Kumar Mehta is a distinguished Database Architect, Manager, and Technical Author with over two decades of hands-on IT experience. A recognized expert in the SQL Server ecosystem, Ashish’s expertise spans the entire evolution of the platform—from SQL Server 2000 to the cutting-edge SQL Server 2025.

Throughout his career, Ashish has authored 500+ technical articles across leading technology portals, establishing himself as a global voice in Database Administration (DBA), performance tuning, and cloud-native database modernization. His deep technical mastery extends beyond on-premises environments into the cloud, with a specialized focus on Google Cloud (GCP), AWS, and PostgreSQL.

As a consultant and project lead, he has architected and delivered high-stakes database infrastructure, data warehousing, and global migration projects for industry giants, including Microsoft, Hewlett-Packard (HP), Cognizant, and Centrica PLC (UK) / British Gas.

Ashish holds a degree in Computer Science Engineering and maintains an elite tier of industry certifications, including MCITP (Database Administrator), MCDBA (SQL Server 2000), and MCTS. His unique "Mantra" approach to technical training and documentation continues to help thousands of DBAs worldwide navigate the complexities of modern database management.

View all posts

You may also like

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.