Error message when you use a symmetric key to decrypt data in a SQL Server 2005 database: "The decryption key is incorrect"

Extended support for SQL Server 2005 ended on April 12, 2016

If you are still running SQL Server 2005, you will no longer receive security updates and technical support. We recommend upgrading to SQL Server 2014 and Azure SQL Database to achieve breakthrough performance, maintain security and compliance, and optimize your data platform infrastructure. Learn more about the options for upgrading from SQL Server 2005 to a supported version here.

SYMPTOMS
A server is running an instance of Microsoft SQL Server 2005. When you use a symmetric key to decrypt data in a database of the instance of SQL Server, you receive the following error message:
Msg 15273, Level 16, State 1,
The decryption key is incorrect.
This problem occurs when the symmetric key is generated by using the data encryption standard (DES) algorithm in Microsoft Windows 2000.

Typically, you experience this problem in the following scenario:
  • In an instance of SQL Server 2005 that is running on a Windows 2000-based computer, you use a symmetric key to encrypt data in a database. Additionally, the symmetric key is generated by using the DES algorithm.
  • You migrate the database to an instance of SQL Server 2005 that is running on another Windows operating system. For example, you migrate the database to Windows Server 2003.
  • You try to use the symmetric key to decrypt the data.
This problem does not occur if the symmetric key is generated by using the Triple DES (3DES) algorithm in Windows 2000.
CAUSE
The cause of this issue is documented in the following Microsoft Knowledge Base article:
331367 Cannot decrypt data using data encryption standard (DES) key across Windows platforms
WORKAROUND
To work around this problem, use a different algorithm to generate a new symmetric key. Then, use this new key to reencrypt the data. You should use this method before you migrate the database. For example, use the 3DES algorithm to generate a symmetric key.
MORE INFORMATION
SQL Server 2005 uses the Cryptography API (CAPI) in Windows to decrypt data. Therefore, this is a limitation in the Windows operating system.
REFERENCES
For more information about how to create a symmetric key, visit the following Microsoft Developer Network (MSDN) Web site: For more information about how to encrypt data by using a symmetric key, visit the following MSDN Web site: For more information about how to decrypt data by using a symmetric key, visit the following MSDN Web site:
Properties

Article ID: 948209 - Last Review: 02/14/2008 00:54:28 - Revision: 1.1

Microsoft SQL Server 2005 Standard Edition, Microsoft SQL Server 2005 Workgroup Edition, Microsoft SQL Server 2005 Developer Edition, Microsoft SQL Server 2005 Enterprise Edition

  • kberrmsg kbexpertiseadvanced kbtshoot kbprb KB948209
Feedback