Symptoms
You create a Database Encryption Key (DEK) that is longer than 3,456 bits on an instance of Microsoft SQL Server 2016 or 2017. If you enable Transparent Database Encryption (TDE) by using this DEK, an error entry that resembles the following is logged in the SQL Server error log:
date time spid Setting database option ENCRYPTION to ON for database 'database_name'. date time spid Beginning database encryption scan for database 'database name'. date time spid Database encryption scan for database was aborted. Reissue ALTER DB to resume the scan.
Cause
This problem occurs because SQL Server does not throw an error message to indicate that a DEK that has a length that is greater than 3,456 bits is not supported.
Resolution
This problem is fixed in the following updates for SQL Server:
Cumulative Update 13 for SQL Server 2017
Cumulative Update 5 for SQL Server 2016 Service Pack 2
Cumulative Update 11 for SQL Server 2016 Service Pack 1
Note After you apply this fix, and then you try to create a DEK that is longer than 3,456 bits, the attempt is unsuccessful, and you receive the following error message:
Msg 33178, Level 16, State 2, Line LineNumber Encryption key length is over the currently supported maximum length of 3456.
About SQL Server builds
Each new build for SQL Server contains all the hotfixes and security fixes that were in the previous build. We recommend that you install the latest build for your version of SQL Server:
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology Microsoft uses to describe software updates.
