dbatoolsGet-DbaDbAsymmetricKey
View SourceSynopsis
Retrieves asymmetric keys from SQL Server databases for encryption management and security auditing
Description
Retrieves asymmetric keys stored in SQL Server databases, including their encryption algorithms, key lengths, owners, and thumbprints.
This function is essential for security audits and encryption key management, allowing DBAs to inventory all asymmetric keys across databases without manually querying system catalogs.
Asymmetric keys are used for encryption, digital signatures, and certificate creation in SQL Server’s transparent data encryption and column-level encryption features.
Returns detailed key properties to help with compliance reporting and security assessments.
Syntax
Get-DbaDbAsymmetricKey
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Database] <String[]>]
[[-ExcludeDatabase] <String[]>]
[[-Name] <String[]>]
[[-InputObject] <Database[]>]
[-EnableException]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Get-DbaDbAsymmetricKey -SqlInstance sql2016
Gets all Asymmetric Keys
Example: 2
PS C:\> Get-DbaDbAsymmetricKey -SqlInstance Server1 -Database db1
Gets the Asymmetric Keys for the db1 database
Example: 3
PS C:\> Get-DbaDbAsymmetricKey -SqlInstance Server1 -Database db1 -Name key1
Gets the key1 Asymmetric Key within the db1 database
Optional Parameters
-SqlInstance
The target SQL Server instance
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-SqlCredential
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-Database
Specifies which databases to scan for asymmetric keys. Accepts wildcards for pattern matching.
Use this when you need to audit encryption keys in specific databases instead of scanning all databases on the instance.
Essential for targeted security assessments or compliance audits of particular applications.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-ExcludeDatabase
Excludes specific databases from the asymmetric key scan. Accepts wildcards for pattern matching.
Use this to skip system databases, test databases, or databases known to not contain encryption keys.
Helps focus audits on production databases and reduces noise in security assessments.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-Name
Filters results to asymmetric keys with specific names. Accepts wildcards and multiple key names.
Use this when tracking specific keys during key rotation, compliance audits, or troubleshooting encryption issues.
Common when validating that required encryption keys exist across multiple databases.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-InputObject
Accepts database objects from the pipeline, typically from Get-DbaDatabase.
Use this to chain database filtering with key retrieval, such as getting keys from databases with specific properties.
Enables advanced filtering scenarios like scanning only databases created after a certain date or with particular owners.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Outputs
Microsoft.SqlServer.Management.Smo.AsymmetricKey
Returns one AsymmetricKey object per asymmetric key found in the specified databases. Each object represents a single asymmetric key stored in the database’s encryption hierarchy.
Default display properties (via Select-DefaultView):
- ComputerName: The computer name of the SQL Server instance
- InstanceName: The SQL Server instance name
- SqlInstance: The full SQL Server instance name (computer\instance)
- Database: The database name containing the asymmetric key
- Name: The name of the asymmetric key
- Owner: The principal that owns the asymmetric key
- KeyEncryptionAlgorithm: The encryption algorithm used for the key (RSA_512, RSA_1024, RSA_2048, RSA_3072, RSA_4096)
- KeyLength: The length of the key in bits (512, 1024, 2048, 3072, or 4096)
- PrivateKeyEncryptionType: How the private key is encrypted (NoEncryption, EncryptedByMasterKey, EncryptedByPassword)
- Thumbprint: The thumbprint (fingerprint) of the asymmetric key for verification and identification
Additional properties available (from SMO AsymmetricKey object):
- DatabaseId: Unique identifier of the database containing the key
- And all other standard SMO AsymmetricKey properties (use Select-Object * to see all)