Currently running Microsoft SQL Server 2019 (RTM-CU17) and attempting to implement TDE.
SQL Server service is running under a domain account. That service account and NT Service\MSSQLSERVER are members of the local administrators group..
After creating a MASTER Key and CERTIFICATE, ( CREATE CERTIFICATE [SERVER_A_MSSQLSERVER_TDE_Cert] WITH SUBJECT = 'SERVER_A MSSQLSERVER TDE Certificate' )
I attempt to backup those with the following commands:
BACKUP SERVICE MASTER KEY TO FILE = 'g:\MSSQL\backups\SERVER_A_SQL_Keys\SERVER_A_MSSQLSERVER_TDE_SvcMaster_Key.bak' ENCRYPTION BY PASSWORD = 'ThisIsStrongP@ssword#1'
BACKUP MASTER KEY TO FILE = 'g:\MSSQL\backups\SERVER_A_SQL_Keys\SERVER_A_MSSQLSERVER_TDE_Master_Key.bak' ENCRYPTION BY Password = 'ThisIsStrongP@ssword#2'
BACKUP Certificate [SERVER_A_MSSQLSERVER_TDE_Cert]
TO FILE = 'g:\MSSQL\backups\SERVER_A_SQL_Keys\SERVER_A_MSSQLSERVER_TDE_Cert.bak'
WITH Private KEY (FILE = 'g:\MSSQL\backups\SERVER_A_SQL_Keys\SERVER_A_MSSQLSERVER_TDE_Master_Key.bak',
ENCRYPTION BY Password = 'ThisIsStrongP@ssword#3' );
The backup of the service master key and the master key run successfully, however the backup of the certificate fails with the following error: Msg 15240, Level 16, State 1, Line 1
Cannot write into file 'g:\MSSQL\backups\SERVER_A_SQL_Keys\SERVER_A_MSSQLSERVER_TDE_Master_Key.bak'. Verify that you have write permissions, that the file path is valid, and that the file does not already exist.
I realize SQL will modify the ACL of those files after they are created, but I have verified the necessary accounts are in the local administrators group...
What am I missing ?