FIX: Error occurs when the Database Encryption Key is longer than 3,456 bits in SQL Server 2016 and 2017

Applies to: SQL Server 2016 DeveloperSQL Server 2016 EnterpriseSQL Server 2016 Enterprise Core


You create a Database Encryption Key (DEK) that is longer than 3,456 bits on an instance of Microsoft SQL Server 2016 or 2017. If you enable Transparent Database Encryption (TDE) by using this DEK, an error entry that resembles the following is logged in the SQL Server error log:


This problem occurs because SQL Server does not throw an error message to indicate that a DEK that has a length that is greater than 3,456 bits is not supported.


This problem is fixed in the following updates for SQL Server:

          Cumulative Update 13 for SQL Server 2017

          Cumulative Update 5 for SQL Server 2016 Service Pack 2

Cumulative Update 11 for SQL Server 2016 Service Pack 1

Note After you apply this fix, and then you try to create a DEK that is longer than 3,456 bits, the attempt is unsuccessful, and you receive the following error message:



Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology Microsoft uses to describe software updates.