Symptoms

You create a Database Encryption Key (DEK) that is longer than 3,456 bits on an instance of Microsoft SQL Server 2016 or 2017. If you enable Transparent Database Encryption (TDE) by using this DEK, an error entry that resembles the following is logged in the SQL Server error log:

date time spid Setting database option ENCRYPTION to ON for database 'database_name'.
date time
spid Beginning database encryption scan for database 'database name'.
date time
spid Database encryption scan for database was aborted. Reissue ALTER DB to resume the scan.

Cause

This problem occurs because SQL Server does not throw an error message to indicate that a DEK that has a length that is greater than 3,456 bits is not supported.

Resolution

This problem is fixed in the following updates for SQL Server:

          Cumulative Update 13 for SQL Server 2017

          Cumulative Update 5 for SQL Server 2016 Service Pack 2

Cumulative Update 11 for SQL Server 2016 Service Pack 1

Note After you apply this fix, and then you try to create a DEK that is longer than 3,456 bits, the attempt is unsuccessful, and you receive the following error message:

Msg 33178, Level 16, State 2, Line LineNumber
Encryption key length is over the currently supported maximum length of 3456.

 

About SQL Server builds

Each new build for SQL Server contains all the hotfixes and security fixes that were in the previous build. We recommend that you install the latest build for your version of SQL Server:

         Latest cumulative update for SQL Server 2017

The latest build for SQL Server 2016

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×