CREATE DATABASE ENCRYPTION KEY (Transact-SQL)CREATE DATABASE ENCRYPTION KEY (Transact-SQL)

适用对象:是SQL Server 否Azure SQL 数据库 否Azure Synapse Analytics (SQL DW) 是并行数据仓库 APPLIES TO: yesSQL Server noAzure SQL Database noAzure Synapse Analytics (SQL DW) yesParallel Data Warehouse

创建用于以透明方式加密数据库的加密密钥。Creates an encryption key that is used for transparently encrypting a database. 有关透明数据库加密的详细信息,请参阅透明数据加密 (TDE)For more information about transparent database encryption, see Transparent Data Encryption (TDE).

主题链接图标 TRANSACT-SQL 语法约定Topic link icon Transact-SQL Syntax Conventions

语法Syntax

-- Syntax for SQL Server  

CREATE DATABASE ENCRYPTION KEY  
       WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }  
   ENCRYPTION BY SERVER   
    {  
        CERTIFICATE Encryptor_Name |  
        ASYMMETRIC KEY Encryptor_Name  
    }  
[ ; ]  
-- Syntax for Parallel Data Warehouse  

CREATE DATABASE ENCRYPTION KEY  
       WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }  
   ENCRYPTION BY SERVER CERTIFICATE Encryptor_Name   
[ ; ]  

参数Arguments

WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }WITH ALGORITHM = { AES_128 | AES_192 | AES_256 | TRIPLE_DES_3KEY }
指定用于加密密钥的加密算法。Specifies the encryption algorithm that is used for the encryption key.

备注

从 SQL Server 2016 开始,除 AES_128、AES_192 和 AES_256 以外的所有算法都不再使用。Beginning with SQL Server 2016, all algorithms other than AES_128, AES_192, and AES_256 are deprecated. 若要使用旧算法(不推荐),必须将数据库设置为兼容级别 120 或更低。To use older algorithms (not recommended) you must set the database to database compatibility level 120 or lower.

ENCRYPTION BY SERVER CERTIFICATE Encryptor_NameENCRYPTION BY SERVER CERTIFICATE Encryptor_Name
指定用于加密数据库加密密钥的加密程序的名称。Specifies the name of the encryptor used to encrypt the database encryption key.

ENCRYPTION BY SERVER ASYMMETRIC KEY Encryptor_NameENCRYPTION BY SERVER ASYMMETRIC KEY Encryptor_Name
指定用于加密数据库加密密钥的非对称密钥的名称。Specifies the name of the asymmetric key used to encrypt the database encryption key. 要使用非对称密钥对数据库加密密钥进行加密,非对称密钥必须驻留在可扩展密钥管理提供程序上。In order to encrypt the database encryption key with an asymmetric key, the asymmetric key must reside on an extensible key management provider.

RemarksRemarks

在可使用“透明数据库加密”(TDE) 加密数据库之前,需要设置一个数据库加密密钥 。A database encryption key is required before a database can be encrypted by using Transparent Database Encryption (TDE). 以透明方式加密数据库时,将在文件级别上加密整个数据库,而无需对代码进行特殊修改。When a database is transparently encrypted, the whole database is encrypted at the file level, without any special code modifications. 用于加密数据库加密密钥的证书或非对称密钥必须位于 master 系统数据库中。The certificate or asymmetric key that is used to encrypt the database encryption key must be located in the master system database.

只允许对用户数据库使用数据库加密语句。Database encryption statements are allowed only on user databases.

数据库加密密钥不能从数据库中导出。The database encryption key cannot be exported from the database. 它只能供系统、对服务器拥有调试权限的用户以及能够访问证书(用于加密和解密数据库加密密钥)的用户使用。It is available only to the system, to users who have debugging permissions on the server, and to users who have access to the certificates that encrypt and decrypt the database encryption key.

数据库所有者 (dbo) 发生更改时不必重新生成数据库加密密钥。The database encryption key does not have to be regenerated when a database owner (dbo) is changed.

系统会为 SQL 数据库SQL Database 数据库自动创建一个数据库加密密钥。A database encryption key is automatically created for a SQL 数据库SQL Database database. 用户无需使用 CREATE DATABASE ENCRYPTION KEY 语句创建密钥。You do not need to create a key using the CREATE DATABASE ENCRYPTION KEY statement.

权限Permissions

需要数据库的 CONTROL 权限和用于加密数据库加密密钥的证书或非对称密钥的 VIEW DEFINITION 权限。Requires CONTROL permission on the database and VIEW DEFINITION permission on the certificate or asymmetric key that is used to encrypt the database encryption key.

示例Examples

有关使用 TDE 的其他示例,请参阅透明数据加密 (TDE)使用 EKM 在 SQL Server 上启用 TDE使用 Azure Key Vault 的可扩展密钥管理 (SQL Server)For additional examples using TDE, see Transparent Data Encryption (TDE), Enable TDE on SQL Server Using EKM, and Extensible Key Management Using Azure Key Vault (SQL Server).

下面的示例使用 AES_256 算法创建一个数据库加密密钥,并使用名为 MyServerCert 的证书保护私钥。The following example creates a database encryption key by using the AES_256 algorithm, and protects the private key with a certificate named MyServerCert.

USE AdventureWorks2012;  
GO  
CREATE DATABASE ENCRYPTION KEY  
WITH ALGORITHM = AES_256  
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;  
GO  

另请参阅See Also

透明数据加密 (TDE) Transparent Data Encryption (TDE)
SQL Server 加密 SQL Server Encryption
SQL Server 和数据库加密密钥(数据库引擎) SQL Server and Database Encryption Keys (Database Engine)
加密层次结构 Encryption Hierarchy
ALTER DATABASE SET 选项 (Transact-SQL) ALTER DATABASE SET Options (Transact-SQL)
ALTER DATABASE ENCRYPTION KEY (Transact-SQL) ALTER DATABASE ENCRYPTION KEY (Transact-SQL)
DROP DATABASE ENCRYPTION KEY (Transact-SQL) DROP DATABASE ENCRYPTION KEY (Transact-SQL)
sys.dm_database_encryption_keys (Transact-SQL)sys.dm_database_encryption_keys (Transact-SQL)