DbDefence Command line Encryption Tool

This tool is called dbencrypt.exe and it is located in the DbDefence installation directories \API\x86 and \API\x64 . It encrypts a database the same way the GUI does,but it does not perform any tests once it is finished.



Simple encrypt and protect the database, Windows auth, drop connections if any:

dbencrypt.exe -F -S .\MYSERVER -d testdb -p SuperPassword1982

Decrypt the database, Windows auth, drop connections if any:

dbencrypt.exe -F -S .\MYSERVER -d testdb -p SuperPassword1982 -X

Encrypt the database with Maximum Transparency mode (TDE-like), SQL Server auth, fail if database is busy:

dbencrypt.exe -S .\MYSERVER -U sa -P "sa_password!!!" -d testdb -p SuperPassword1982 -E "*.*"

Decrypt the database, SQL Server auth, fail if database is busy:

dbencrypt.exe -S .\MYSERVER -U sa -P "sa_password!!!" -d testdb -p SuperPassword1982 -X


dbencrypt.exe <parameters>


-S <server>
-U <sql user name>
-P <sql user password>
-d <database>
-p <encryption password>
[-o Log SQL queries]
[-A use AES-256 instead of AES-128]
[-u login:password] allow access for login. See dbd_add_login
[-L Licensee bound encryption.]
[-N Non-exportable keys.]
[-C < cert thumbprint>] (apply certificate encryption. thumpbrint - SHA1 thumpbrint, ex: e99a474556cbc09031d043c71082c1279c48df98)
[-e exception_list_file_name]
[-a masking_rules_file]
[-E exception_list_comma_separated]
[-X decrypt instead of encryption]
[-F forcibly disconnect all users from the database]
[-V use FIPS 140-2 validated module]
[-T allow profiling]
[-Z remove all masks for all masked objects]
[-z remove all masks for the object]

PKCS#11 parameters:

[-m <module name>] Module name. See: exec master..dbd_list_modules
[-O <n> slot number]
[-i <pin>] Token PIN
[-l <label>] Key label

To set the "Only Encryption. Maximum Transparency." mode option, use -E "*.*"

If no SQL username specified, then log in with a trusted connection.

Please note: You can only encrypt databases that are physically located on the current instance. You can't setup encryption remotely.

Databases must be running, accessible and not in use. The exception file is the list of security exceptions.

During the encryption process, the database will be taken offline and encrypted without any backup taking place.

Here is a list of the possible returned error codes that can occur during this process:

0 - Success.
-777 - Encryption finished.
113 - Missing ALTER ANY DATABASE permission to take a database Offline and Online. Not enough privileges.
116 - Can't create symmetric key in the database. Usually means password complexity error.
117 - Can't locate and open key file.
122 - Masking is not available on this platform/SQL Server version.
141 - Can't query database. This often happens if you try to encrypt an already encrypted database.
144 - Can't decrypt database. This may be a wrong password.
145 - There are active connections in the database. Use option -F to kill.
147 - DbDefence is not running on the instance.
149 - Attach error.
150 - Detach error.
152 - Can't create symmetric key in the database.
160 - No EXECUTE permissions on master.dbo.dbd_listdb
180 - Can't load/validate FIPS 140-2 module.
181 - Incomplete parameters.
182 - Cannot operate on the mirrored database.
183 - Cannot operate on the database in AlwaysOn Availability Group.
184 - File I/O error.
185 - Error while importing encryption keys.
186 - PKCS#11 related error.
187 - PKCS#11 related error.
188 - Failed to apply masking.
189 - There were errors validating data masking settings.
190 - Database is already encrypted with TDE.
191 - License error. exec master..dbd_reg_info failed.
201 - Password complexity error. Complexity settings depend on OS.
-25 - Invalid parameter.
-24 - Can't find specified certificate (server side).
-23 - Can't find specified certificate (client side).
-22 - Malformed SHA1 thumbprint.
-21 - Error messages from SQL Server.
-20 - Can't connect to server.
-19 - DbDefence not installed or not started.
-18 - Database is already encrypted.
-17 - No password specified.
-16 - Can't use database.
-15 - Can't create DbDefence tables in the database or tables are created is errors.
-14 - Unexpected error.
-13 - Can't detach database.
-12 - Can't open database files for RW access.
-11 - Can't attach database after encryption.
-10 - File with exceptions specified but it's not accessible.
-4 - Can't access all files of the database.
-3 - Database is too big for this license.
-2 - Unknown command line option.

Just like the GUI, the command line tool can only work on local instances of an SQL server. You can't encrypt databases remotely.