When do I need to backup the Service Master Key?

If you are talking about the SQL service master key, then there is a rare occurrence where you really need to restore it.

I'm thinking of a couple of scenarios where you need to restore the SMK...

  1. Somehow it got corrupted.

  2. You are rebuilding your SQL server and planning to restore every database including system databases from backup. Usually in this case also you might not need to restore the SMK if you are using the same SQL service account and password.

In TDE you don't need to restore the SMK. As everyone said, you just need the certificate and the private key. You don't need to have same database master key, also as when you create the certificate from backup it gets encrypted by the DMK of destination machine.


When you are moving a TDE database to a new instance, what you need to ensure is that the proper certificate (or asymmetric key) is also in the destination master's database. If you fail to do this, you'll receive the following error:

Msg 33111, Level 16, State 3, Line 2 Cannot find server certificate with thumbprint '0xA085414434DB4A36B29..................'.

It's not the Service Master Key that needs to move with the TDE-enabled database backup, but it would be the certificate. For instance, say you created your DEK (database encryption key) with a certificate in master named MyTDECert. Without that certificate on your destination instance, you won't be able to restore your database.