In Microsoft SQL Server 2008 and in Microsoft SQL Server 2008 R2, a database that is enabled for transparent database encryption (TDE) may not recover. And, the following error message may be logged in the SQL Server error log:
2012-01-14 22:16:26.47 spid20s Error: 15581, Severity: 16, State: 3. 2012-01-14 22:16:26.47 spid20s Please create a master key in the database or open the master key in the session before performing this operation.
In some cases, the instance of SQL Server may appear unresponsive. If you query sys.dm_exec_requests dynamic management view, you notice that the LogWriter thread and other threads that are performing DML operations are waiting indefinitely with WRITE_LOG wait_type. Other sessions may also be waiting while they try to obtain locks.
This issue occurs when service master key encryption for the database master key in the master database is removed when the following command is run:
Use mastergoalter master key drop encryption by service master key
The database master key is used to encrypt the certificate that is used by the database master key. Any attempt to use the TDE-enabled database requires access to the database master key in the master database. A master key that is not encrypted by the service master key must be opened by using the OPEN MASTER KEY statement together with a password on each session that requires access to the master key. Because this command cannot be run on system sessions, recovery cannot be completed on TDE-enabled databases.
To resolve the issue, enable automatic decryption of the master key. To do this, run the following commands:
Use mastergoopen master key DECRYPTION BY PASSWORD = 'password'
alter master key add encryption by service master key
Use the following query to determine whether automatic decryption of the master key by the service master key was disabled for the master database:
select is_master_key_encrypted_by_server from sys.databases where name = 'master'
If this query returns a value of 0, automatic decryption of the master key by the service master key was disabled.
For more information about the products or tools that automatically check for this condition on your instance of SQL Server and on versions of the SQL Server product, see the following table:
Product versions against which the rule is evaluated
Microsoft System Center Advisor
SQL Server database master key for the master database is not encrypted by the service master key.
System Center Advisor checks if the instance of SQL Server has any databases that use TDE. It also checks to make sure that the database master key of the master database is encrypted by the service master key. If this is not the case, System Center Advisor generates a warning.
SQL Server 2008 SQL Server 2008 R2 SQL Server 2012