To restore a Transparent Data Encryption (TDE)–encrypted database between Amazon RDS for SQL Server instances, you must back up and restore the TDE certificate outside of Commvault before restoring the database.
Before you begin, make sure that the following requirements are met:
- TDE is enabled on the target RDS instance.
- You have sufficient permissions to run Amazon RDS stored procedures.
- You have secure storage available for the TDE certificate and private key backup files.
Procedure
-
Connect to the source RDS instance.
-
Run the
msdb.dbo.rds_backup_tde_certificatestored procedure. -
Securely store the exported certificate and private key files.
For more information see the Amazon RDS documentation for SQL Server TDE certificate restore.
Back Up the TDE-Encrypted Database
-
Perform a backup of the encrypted database in Commvault.
For more information see, Backing Up an Amazon RDS for SQL Server Instance On Demand.
Restore the TDE Certificate to the Target RDS Instance
Before restoring the encrypted database, restore the certificate to the target RDS instance:
-
Connect to the target RDS instance.
-
Run the
msdb.dbo.rds_restore_tde_certificatestored procedure. -
Provide the certificate and private key files that were previously backed up.
-
Verify that the certificate is successfully restored.
For more information see Backing up and restoring TDE certificates on RDS for SQL Server.
Restore the TDE-Encrypted Database
After restoring the certificate, restore the database backup:
For instructions, see Restoring an Amazon RDS for SQL Server Database.
Important
The TDE certificate must be restored to the target RDS instance before restoring the encrypted database. If the certificate is not present, the restore operation will fail.