DbDefence Command line Encryption Tool

This tool is called dbencrypt.exe (depends only on dbencrypt.dll) and it is located in DbDefence installation directory. It encrypts a database the same way the GUI does,but it does not perform any tests once it is finished.

Usage: dbencrypt.exe <parameters>


-S <server>
-U <sql user name>
-P <sql user password>
-d <database>
-p <encryption password>
[-o Log SQL queries]
[-A use AES-256 instead of AES-128]
[-L Licensee bound encryption.]
[-N Non-exportable keys.]
[-C < cert thumbprint>] (apply certificate encryption. thumpbrint - SHA1 thumpbrint, ex: e99a474556cbc09031d043c71082c1279c48df98)
[-e exception_list_file_name]
[-E exception_list_comma_separated]
[-X decrypt instead of encryption]
[-F forcibly disconnect all users from the database]
[-V use FIPS 140-2 validated module (cryptopp.dll)]
[-T allow profiling]

PKCS#11 parameters:

[-m <module name>] Module name. See: exec master..dbd_list_modules
[-O <n> slot number]
[-i <pin>] Token PIN
[-l <label>] Key label

To add "Allow access without encryption password" option use -E "*.*"

If no SQL username specified, then log in with trusted connection.

Please note: You can only encrypt databases that physically located on the current instance. You can't setup encryption remotely.

Databases must be running, accessible and not in use. The exception file is the list of security exceptions.

During the encryption process, the database will be put offline and encrypted without any backup taking place.

Here is a list of the possible returned error codes that can take place during this process:

0 - Success.
-777 - Encryption finished. (used only in API)
141 - Can't query database. Often happens if you try to encrypt already encrypted database.
144 - Can't decrypt database. Maybe wrong password.
145 - There are active connections in the database. Use option -F to kill.
147 - DbDefence is not running on the instance.
152 - Can't create symmetric key in the database.
-21 - Error messages from SQL Server.
-20 - Can't connect to server.
-19 - DbDefence not installed or not started.
-18 - Database already encrypted.
-17 - No password specified.
-16 - Can't switch to select db.
-15 - Can't create DbDefence tables in database or created incorrectly.
-14 - Unexpected error.
-13 - Can't detach database.
-12 - Can't open database files for RW access.
-11 - Can't attach database after encryption.
-10 - File with exceptions specified but it's not accessible.
-4 - Can't access all files of the database.
-3 - Database too big for this license.
-2 - Unknown command line option.

Just like the GUI, the command line tool can only work on local instances of an SQL server. You can't encrypt databases remotely.