November 3, 2019 at 3:14 pm
Hi,
We recently upgraded an instance to SQL Server 2017. All user databases are encrypted with TDE. The logs are flooded with messages like this;
[TDE] SetDbeState on DEK 0x0000000000XX000: Old State: None (0), New State: Unencrypted (1).
This was a SQL Server 2014 instance originally. Is this suggesting a problem with TDE? If not, can these messages be suppressed?
Thanks,
Clive
November 4, 2019 at 5:41 am
I would recommend you to review the certificates/keys used for TDE once.
Backup files of databases that have TDE enabled are also encrypted by using the database encryption key. As a result, when you restore these backups, the certificate protecting the database encryption key must be available. This means that in addition to backing up the database, you have to make sure that you maintain backups of the server certificates to prevent data loss. Data loss will result if the certificate is no longer available. For more information, see SQL Server Certificates and Asymmetric Keys.
November 4, 2019 at 3:50 pm
Hi,
Thanks for the response, but I don't understand? I'm aware that the backups are encrypted - We migrated the certificates to the new instance before we could restore our databases.
The databases are all encrypted and this is demonstrated by running :
SELECT DB_NAME(database_id) AS databasename,
CASE encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
WHEN 6 THEN 'Protection change in progress'
END AS encryptionstate,
key_algorithm + '-' + CAST(key_length AS NVARCHAR(10)) AS keytype,
encryptor_type
FROM sys.dm_database_encryption_keys
ORDER BY DB_NAME(database_id);
I can see all of my databases are encrypted as expected. What I am curious about is the [TDE] SetDbeState on DEK 0x0000000000XX000: Old State: None (0), New State: Unencrypted (1) message than now appears in my error logs in SQL 2017. These were not present in SQL 2014.
If they are not an issue, I am curious if there is a trace flag to suppress them as they make it exceptionally hard to read the log files.
Thanks
November 5, 2019 at 7:24 am
I suspect there is some issue with encryption. Although you can see encryption_state as 3 but I feel it's not encrypted. If you can share the trace/log of messages written around the same time in SQL Error Log, preferably since last restart of your server then I shall give a try to trace the reason.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply