dbatoolsGet-DbaDbEncryption
View SourceSynopsis
Retrieves comprehensive encryption inventory from SQL Server databases including TDE status, certificates, and keys.
Description
Audits database-level encryption across SQL Server instances by examining TDE encryption status, certificates, asymmetric keys, and symmetric keys within each database. Returns detailed information including key algorithms, lengths, owners, backup dates, and expiration dates for compliance reporting and security assessments. Particularly useful for encryption audits, certificate lifecycle management, and ensuring regulatory compliance across your SQL Server environment.
Syntax
Get-DbaDbEncryption
[-SqlInstance] <DbaInstanceParameter[]>
[[-SqlCredential] <PSCredential>]
[[-Database] <Object[]>]
[[-ExcludeDatabase] <Object[]>]
[-IncludeSystemDBs]
[-EnableException]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01
List all encryption found on the instance by database
Example: 2
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -Database MyDB
List all encryption found for the MyDB database.
Example: 3
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -ExcludeDatabase MyDB
List all encryption found for all databases except MyDB.
Example: 4
PS C:\> Get-DbaDbEncryption -SqlInstance DEV01 -IncludeSystemDBs
List all encryption found for all databases including the system databases.
Required Parameters
-SqlInstance
The target SQL Server instance or instances. This can be a collection and receive pipeline input.
| Property | Value |
|---|---|
| Alias | |
| Required | True |
| Pipeline | true (ByValue) |
| Default Value |
Optional Parameters
-SqlCredential
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-Database
Specifies which databases to examine for encryption objects including TDE, certificates, and keys. Accepts database names as strings or arrays.
Use this to focus encryption audits on specific databases rather than scanning all user databases on the instance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-ExcludeDatabase
Excludes specific databases from the encryption inventory scan. Useful when you need to audit most databases but skip certain ones.
Commonly used to exclude databases with known encryption issues or maintenance databases that don’t require encryption compliance checks.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-IncludeSystemDBs
Includes system databases (master, model, msdb, tempdb) in the encryption inventory. By default, only user databases are scanned.
Use this when conducting comprehensive security audits that require visibility into system database encryption objects and TDE configurations.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Outputs
PSCustomObject
Returns one object per encryption object found. The function searches for four types of encryption objects within each database: TDE encryption, certificates, asymmetric keys, and symmetric keys. Properties vary depending on the type of encryption object found.
Common properties in all output objects:
- ComputerName: The computer name of the SQL Server instance
- InstanceName: The SQL Server instance name
- SqlInstance: The full SQL Server instance name (computer\instance)
- Database: The database name containing the encryption object
- Encryption: The type of encryption object (EncryptionEnabled (TDE), Certificate, Asymmetric key, or Symmetric key)
- Name: The name of the encryption object
- Owner: The owner of the encryption object
- Object: The underlying SMO object (Certificate, AsymmetricKey, SymmetricKey, or DatabaseEncryptionKey)
Additional properties specific to encryption type:
- LastBackup: DateTime of the last certificate backup (populated for TDE and Certificate types only)
- PrivateKeyEncryptionType: How the private key is encrypted (populated for TDE, Certificate, Asymmetric key, and Symmetric key types)
- EncryptionAlgorithm: The encryption algorithm used (populated for TDE and Asymmetric key types)
- KeyLength: The key length in bits (populated for Asymmetric key and Symmetric key types)
- ExpirationDate: DateTime when the certificate expires (populated for TDE and Certificate types only) Note: When TDE encryption is enabled on a database, the returned object includes details of the server certificate protecting the database encryption key.