Please create a master key in the database or open the master key in the session before performing this operation
Fixed.
Referenced: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/sql-server-and-database-encryption-keys-database-engine
This paragraph gave it away:
The copy of the DMK stored in the master system database is silently updated whenever the DMK is changed. However, this default can be changed by using the DROP ENCRYPTION BY SERVICE MASTER KEY option of the ALTER MASTER KEY statement. A DMK that is not encrypted by the service master key must be opened by using the OPEN MASTER KEY statement and a password.
Ran the following on my secondary nodes.
- Drop Certificate...
- Drop master key
- Create master key...
- Create certificate from file...
Arrived at the solution after checking this.
--on primary, output: master
select name from sys.databases where is_master_key_encrypted_by_server=1
--on secondary, output: nothing...
select name from sys.databases where is_master_key_encrypted_by_server=1
So I figured if I could get the master key to be encrypted by default by the service master key then this would automate the decryption.
--on secondary
drop certificate [BackupCertWithPK]
drop master key
--Skipped restore master key from file.
--Instead, I ran create master key with password.
create master key encryption by password = 'MyTest!Mast3rP4ss';
--verify by open/close.
open master key decryption by password = 'MyTest!Mast3rP4ss';
close master key;
--proceed to restore/create cert from file.
create cerfiticate [BackupCertWithPK]
from file = '\\FS1\SqlBackups\SQL1\Donot_delete_SQL1-Primary_BackupCertWithPK.cer'
with private key (file = '\\FS1\SqlBackups\SQL1\Donot_delete_SQL1-Primary_BackupCertWithPK.key' , decryption by password = 'key_Test!prim@ryP4ss') ;
After this ran the above select again.
--on secondary, output: master, now there was hope again!
select name from sys.databases where is_master_key_encrypted_by_server=1
Finally, I re-ran my backup job with options set for Verify and Encryption successfully. Verify step did not fail nor prompted to open/close the master key.
The following simply worked as intended without needing to open/close the master key.
RESTORE VERIFYONLY FROM DISK = '\\FS1\SqlBackups\SQL01\SystemDbs\msdb_backup_2017_09_22_171915_6346240.bak' WITH FILE = 1, NOUNLOAD, NOREWIND;
Wohooo! Mission accomplished.