Get-DbaDbAsymmetricKey

Synopsis

Retrieves asymmetric keys from SQL Server databases for encryption management and security auditing

Description

Retrieves asymmetric keys stored in SQL Server databases, including their encryption algorithms, key lengths, owners, and thumbprints.
This function is essential for security audits and encryption key management, allowing DBAs to inventory all asymmetric keys across databases without manually querying system catalogs.
Asymmetric keys are used for encryption, digital signatures, and certificate creation in SQL Server’s transparent data encryption and column-level encryption features.
Returns detailed key properties to help with compliance reporting and security assessments.

Syntax

Get-DbaDbAsymmetricKey
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-SqlCredential] <PSCredential>]
    [[-Database] <String[]>]
    [[-ExcludeDatabase] <String[]>]
    [[-Name] <String[]>]
    [[-InputObject] <Database[]>]
    [-EnableException]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Get-DbaDbAsymmetricKey -SqlInstance sql2016

Gets all Asymmetric Keys

Example: 2

PS C:\> Get-DbaDbAsymmetricKey -SqlInstance Server1 -Database db1

Gets the Asymmetric Keys for the db1 database

Example: 3

PS C:\> Get-DbaDbAsymmetricKey -SqlInstance Server1 -Database db1 -Name key1

Gets the key1 Asymmetric Key within the db1 database

Optional Parameters

-SqlInstance

The target SQL Server instance

-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

-Database

Specifies which databases to scan for asymmetric keys. Accepts wildcards for pattern matching.
Use this when you need to audit encryption keys in specific databases instead of scanning all databases on the instance.
Essential for targeted security assessments or compliance audits of particular applications.

-ExcludeDatabase

Excludes specific databases from the asymmetric key scan. Accepts wildcards for pattern matching.
Use this to skip system databases, test databases, or databases known to not contain encryption keys.
Helps focus audits on production databases and reduces noise in security assessments.

-Name

Filters results to asymmetric keys with specific names. Accepts wildcards and multiple key names.
Use this when tracking specific keys during key rotation, compliance audits, or troubleshooting encryption issues.
Common when validating that required encryption keys exist across multiple databases.

-InputObject

Accepts database objects from the pipeline, typically from Get-DbaDatabase.
Use this to chain database filtering with key retrieval, such as getting keys from databases with specific properties.
Enables advanced filtering scenarios like scanning only databases created after a certain date or with particular owners.

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.