You are currently offline, waiting for your internet to reconnect

Your browser is out-of-date

You need to update your browser to use the site.

Update to the latest version of Internet Explorer

FIX: The database might not be encrypted when you turn on encryption in SQL Server 2012

Assume that you regularly turn encryption on and off on a database and also regularly change the encryption keys on the database in SQL Server 2012. In this scenario, the database might not be encrypted when you turn on encryption. If you change the encryption keys, an assertion might occur.
This issue occurs because, if a database encryption key (DEK) is not in an encrypted state and the key is changed, the next update of the key copies the key part of the DEK, but it does not copy the setting the encryption state correctly.

In SQL Server 2012, after a decryption scan, the DEK in the file control block (FCB) header is kept, and the DEK is removed only when the key is dropped.  When encryption is turned off, there is a key change, and then you try to turn on the encryption, the dynamic management view (DMV) shows that encryption completed. However, the encryption scan is not performed and the pages are left not encrypted.

Cumulative update information

SQL Server 2012

The fix for this issue was first released in Cumulative Update 1. For more information about how to obtain this cumulative update package for SQL Server 2012, click the following article number to view the article in the Microsoft Knowledge Base:
2679368 Cumulative Update package 1 for SQL Server 2012
Note Because the builds are cumulative, each new fix release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2012 fix release. We recommend that you consider applying the most recent fix release that contains this hotfix. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2692828 The SQL Server 2012 builds that were released after SQL Server 2012 was released

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
To work around this issue, drop the encryption key every time you turn encryption off on a database.
More information
Call stack information
FCB::InitializeReencryptionScan ntdbms\storeng\dfs\manager\fcb.cpp 8407FCB::ReencryptFile ntdbms\storeng\dfs\manager\fcb.cpp 8934AsynchronousDiskAction::DoReencryptFile ntdbms\storeng\dfs\manager\asyncdp.cpp 810AsynchronousDiskAction::ExecuteDeferredAction ntdbms\storeng\dfs\manager\asyncdp.cpp 1203AsynchronousDiskPool::ProcessActions ntdbms\storeng\dfs\manager\asyncdp.cpp 2252AsynchronousDiskWorker::ThreadRoutine ntdbms\storeng\dfs\manager\asyncdp.cpp 3120SubprocEntrypoint ntdbms\storeng\dfs\process\subproc.cpp 444SOS_Task::Param::Execute e:\sql11_main_t\sql\common\dk\sos\include\sos.inl 8564SOS_Scheduler::RunTask e:\sql11_main_t\sql\common\dk\sos\src\scheduler.cpp 976SOS_Scheduler::ProcessTasks e:\sql11_main_t\sql\common\dk\sos\src\scheduler.cpp 852SchedulerManager::WorkerEntryPoint e:\sql11_main_t\sql\common\dk\sos\src\node.cpp 1809SystemThread::RunWorker e:\sql11_main_t\sql\common\dk\sos\include\worker.inl 823SystemThreadDispatcher::ProcessWorker e:\sql11_main_t\sql\common\dk\sos\src\node.cpp 449Assert in FCB::InitializeReencryptionScan in file fcb.cpp @ 8407Expression: a_dbDEK->GetDbeState () == CSECDEK::x_dbe_DecryptionInProgress || a_dbDEK->GetDbeState () == CSECDEK::x_dbe_EncryptionInProgress

Article ID: 2692145 - Last Review: 11/22/2012 14:05:00 - Revision: 3.2

  • SQL Server 2012 Enterprise Core
  • Microsoft SQL Server 2012 Developer
  • Microsoft SQL Server 2012 Enterprise
  • Microsoft SQL Server 2012 Express
  • Microsoft SQL Server 2012 Standard
  • Microsoft SQL Server 2012 Web
  • kbtshoot kbqfe kbfix kbexpertiseadvanced kbsurveynew KB2692145