dbatoolsTest-DbaBackupEncrypted
View SourceSynopsis
Analyzes backup files to determine encryption status and retrieve encryption details
Description
Examines SQL Server backup files to identify whether they contain encrypted data, either through backup encryption or Transparent Data Encryption (TDE). Uses RESTORE HEADERONLY and RESTORE FILELISTONLY commands to inspect backup headers and file metadata without actually restoring the database. This helps DBAs verify encryption compliance, troubleshoot restore issues, and maintain inventory of encrypted backups across their environment.
Syntax
Test-DbaBackupEncrypted
[[-SqlInstance] <DbaInstanceParameter>]
[[-SqlCredential] <PSCredential>]
[-FilePath] <String[]>
[-EnableException]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Test-DbaBackupEncrypted -SqlInstance sql01 -Path /tmp/northwind.bak
Test to see if /tmp/northwind.bak is encrypted
Example: 2
PS C:\> Get-ChildItem \\nas\sql\backups | Test-DbaBackupEncrypted -SqlInstance sql01
Test to see if all of the backups in \nas\sql\backups are encrypted
Required Parameters
-FilePath
Specifies the file path(s) to the backup files (.bak, .trn, .dif) that need to be analyzed for encryption status.
Accepts multiple paths and supports pipeline input from Get-ChildItem or other file discovery commands.
Use this to verify encryption compliance across backup files or troubleshoot restore failures caused by missing encryption certificates.
| Property | Value |
|---|---|
| Alias | FullName,Path |
| Required | True |
| Pipeline | true (ByPropertyName) |
| Default Value |
Optional Parameters
-SqlInstance
The target SQL Server instance or instances.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | true (ByPropertyName) |
| Default Value |
-SqlCredential
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Outputs
PSCustomObject
Returns one object per backup file analyzed, containing encryption status and certificate information.
Properties:
- ComputerName (string) - The computer name of the SQL Server instance used for analysis
- InstanceName (string) - The SQL Server instance name used for analysis
- SqlInstance (string) - The full SQL Server instance name (computer\instance)
- FilePath (string) - The file path of the backup file that was analyzed
- BackupName (string) - The logical name of the backup set from RESTORE HEADERONLY output
- Encrypted (boolean) - Boolean indicating if the backup contains encryption from backup encryption or Transparent Data Encryption (TDE)
- KeyAlgorithm (string) - The encryption key algorithm (e.g., “AES128”, “AES192”, “AES256”, null if not encrypted via backup encryption)
- EncryptorThumbprint (string) - The SHA-1 thumbprint of the backup encryption certificate (null if not encrypted via backup encryption)
- EncryptorType (string) - The type of backup encryptor (e.g., “Certificate”, “Asymmetric Key”, null if no backup encryption)
- TDEThumbprint (string) - The TDE thumbprint in hexadecimal format from FILELISTONLY (null if database was not encrypted with TDE)
- Compressed (boolean) - Boolean indicating if the backup was created with compression enabled