Encrypt or decrypt a column with PowerShell
To encrypt or decrypt a column with PowerShell:
Encrypt a column
To encrypt a column:
-
Log in to the client using the <domain>\dbuser account.
-
Launch PowerShell on the client computer and run the
Encrypt_Column_Named_Password.ps1script (below).# Import the SqlServer module. Import-Module SqlServer # Set up connection and database SMO objects $sqlConnectionString = "Data Source=MS-SQL-AE-Srv.interop.com; Initial Catalog=TestDatabase; Integrated Security=True; MultipleActiveResultSets=False; Connect Timeout=30; Encrypt=True; TrustServerCertificate=True; Packet Size=4096; Application Name=`"Microsoft SQL Server Management Studio`"" $smoDatabase = Get-SqlDatabase -ConnectionString $sqlConnectionString # If your encryption changes involve keys in Azure Key Vault, uncomment one of the lines below in order to authenticate: # * Prompt for a username and password: #Add-SqlAzureAuthenticationContext -Interactive # * Enter a Client ID, Secret, and Tenant ID: #Add-SqlAzureAuthenticationContext -ClientID '<Client ID>' -Secret '<Secret>' -Tenant '<Tenant ID>' # Change encryption schema $encryptionChanges = @() # Add changes for table [dbo].[TestTable] $encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.TestTable.Password -EncryptionType Randomized -EncryptionKey "MyCEK" Set-SqlColumnEncryption -ColumnEncryptionSettings $encryptionChanges -InputObject $smoDatabaseThe command line is:
> PowerShell -ExecutionPolicy Bypass -File Encrypt_Column_Named_Password.ps1 -
Present the OCS, select the HSM, and enter the passphrase.
-
Launch Microsoft SQL Server Management Studio. Do as indicated in encrypt-decrypt-column-with-ssms.adoc#view-encrypted-column-ssms to verify the column has been encrypted.
Remove column encryption
To remove column encryption:
-
Launch PowerShell on the client computer and run the
Decrypt_Column_Named_Password.ps1script (below).# Import the SqlServer module. Import-Module SqlServer # Set up connection and database SMO objects $sqlConnectionString = "Data Source=MS-SQL-AE-Srv.interop.com; Initial Catalog=TestDatabase; Integrated Security=True; MultipleActiveResultSets=False; Connect Timeout=30; Encrypt=True; TrustServerCertificate=True; Packet Size=4096; Application Name=`"Microsoft SQL Server Management Studio`"" $smoDatabase = Get-SqlDatabase -ConnectionString $sqlConnectionString # If your encryption changes involve keys in Azure Key Vault, uncomment one of the lines below in order to authenticate: # * Prompt for a username and password: #Add-SqlAzureAuthenticationContext -Interactive # * Enter a Client ID, Secret, and Tenant ID: #Add-SqlAzureAuthenticationContext -ClientID '<Client ID>' -Secret '<Secret>' -Tenant '<Tenant ID>' # Change encryption schema $encryptionChanges = @() # Add changes for table [dbo].[TestTable] $encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.TestTable.Password -EncryptionType Plaintext Set-SqlColumnEncryption -ColumnEncryptionSettings $encryptionChanges -InputObject $smoDatabaseThe command line is:
> PowerShell -ExecutionPolicy Bypass -File Decrypt_Column_Named_Password.ps1 -
Present the OCS, select the HSM, and enter the passphrase.
-
Launch Microsoft SQL Server Management Studio. Do as indicated in encrypt-decrypt-column-with-ssms.adoc#view-encrypted-column-ssms to verify the column has been encrypted.