Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Assume that you regularly turn encryption on and off on a database and also regularly change the encryption keys on the database in SQL Server 2012. In this scenario, the database might not be encrypted when you turn on encryption. If you change the encryption keys, an assertion might occur.

Cause

This issue occurs because, if a database encryption key (DEK) is not in an encrypted state and the key is changed, the next update of the key copies the key part of the DEK, but it does not copy the setting the encryption state correctly.

In SQL Server 2012, after a decryption scan, the DEK in the file control block (FCB) header is kept, and the DEK is removed only when the key is dropped.  When encryption is turned off, there is a key change, and then you try to turn on the encryption, the dynamic management view (DMV) shows that encryption completed. However, the encryption scan is not performed and the pages are left not encrypted.

Resolution

Cumulative update information

SQL Server 2012

The fix for this issue was first released in Cumulative Update 1. For more information about how to obtain this cumulative update package for SQL Server 2012, click the following article number to view the article in the Microsoft Knowledge Base:

2679368 Cumulative Update package 1 for SQL Server 2012Note Because the builds are cumulative, each new fix release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2012 fix release. We recommend that you consider applying the most recent fix release that contains this hotfix. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

2692828 The SQL Server 2012 builds that were released after SQL Server 2012 was released

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Workaround

To work around this issue, drop the encryption key every time you turn encryption off on a database.

More Information

Call stack information

FCB::InitializeReencryptionScan ntdbms\storeng\dfs\manager\fcb.cpp 8407
FCB::ReencryptFile ntdbms\storeng\dfs\manager\fcb.cpp 8934
AsynchronousDiskAction::DoReencryptFile ntdbms\storeng\dfs\manager\asyncdp.cpp 810
AsynchronousDiskAction::ExecuteDeferredAction ntdbms\storeng\dfs\manager\asyncdp.cpp 1203
AsynchronousDiskPool::ProcessActions ntdbms\storeng\dfs\manager\asyncdp.cpp 2252
AsynchronousDiskWorker::ThreadRoutine ntdbms\storeng\dfs\manager\asyncdp.cpp 3120
SubprocEntrypoint ntdbms\storeng\dfs\process\subproc.cpp 444
SOS_Task::Param::Execute e:\sql11_main_t\sql\common\dk\sos\include\sos.inl 8564
SOS_Scheduler::RunTask e:\sql11_main_t\sql\common\dk\sos\src\scheduler.cpp 976
SOS_Scheduler::ProcessTasks e:\sql11_main_t\sql\common\dk\sos\src\scheduler.cpp 852
SchedulerManager::WorkerEntryPoint e:\sql11_main_t\sql\common\dk\sos\src\node.cpp 1809
SystemThread::RunWorker e:\sql11_main_t\sql\common\dk\sos\include\worker.inl 823
SystemThreadDispatcher::ProcessWorker e:\sql11_main_t\sql\common\dk\sos\src\node.cpp 449
Assert in FCB::InitializeReencryptionScan in file fcb.cpp @ 8407
Expression: a_dbDEK->GetDbeState () == CSECDEK::x_dbe_DecryptionInProgress || a_dbDEK->GetDbeState () == CSECDEK::x_dbe_EncryptionInProgress

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×