Any suggestions? Export (0) Print
Expand All
Collapse the table of content
Expand the table of content
Expand Minimize

DROP DATABASE ENCRYPTION KEY (Transact-SQL)

 

THIS TOPIC APPLIES TO: yesSQL Server (starting with 2008) noAzure SQL Database yesAzure SQL Data Warehouse yesParallel Data Warehouse

Drops a database encryption key that is used in transparent database encryption. For more information about transparent database encryption, see Transparent Data Encryption (TDE).

System_CAPS_importantImportant

The backup of the certificate that was protecting the database encryption key should be retained even if the encryption is no longer enabled on a database. Even though the database is not encrypted anymore, parts of the transaction log may still remain protected, and the certificate may be needed for some operations until the full backup of the database is performed.

Topic link icon Transact-SQL Syntax Conventions


DROP DATABASE ENCRYPTION KEY
-- Azure SQL Data Warehouse and Parallel Data Warehouse
DROP DATABASE ENCRYPTION KEY

If the database is encrypted, you must first remove encryption from the database by using the ALTER DATABASE statement. Wait for decryption to complete before removing the database encryption key. For more information about the ALTER DATABASE statement, see ALTER DATABASE SET Options (Transact-SQL). To view the state of the database, use the sys.dm_database_encryption_keys dynamic management view.

Requires CONTROL permission on the database.

The following example removes the database encryption and drops the database encryption key.

ALTER DATABASE AdventureWorks2012
SET ENCRYPTION OFF;
GO
/* Wait for decryption operation to complete, look for a 
value of  1 in the query below. */
SELECT encryption_state
FROM sys.dm_database_encryption_keys;
GO
USE AdventureWorks2012;
GO
DROP DATABASE ENCRYPTION KEY;
GO

The following example removes the TDE encryption and then drops the database encryption key.

ALTER DATABASE AdventureWorksPDW2012
    SET ENCRYPTION OFF;
GO
/* Wait for decryption operation to complete, look for a 
value of  1 in the query below. */
WITH dek_encryption_state AS 
(
    SELECT ISNULL(db_map.database_id, dek.database_id) AS database_id, encryption_state
    FROM sys.dm_pdw_nodes_database_encryption_keys AS dek
        INNER JOIN sys.pdw_nodes_pdw_physical_databases AS node_db_map
           ON dek.database_id = node_db_map.database_id AND dek.pdw_node_id = node_db_map.pdw_node_id
        LEFT JOIN sys.pdw_database_mappings AS db_map
            ON node_db_map .physical_name = db_map.physical_name
        INNER JOIN sys.dm_pdw_nodes AS nodes
            ON nodes.pdw_node_id = dek.pdw_node_id
    WHERE dek.encryptor_thumbprint <> 0x
)
SELECT TOP 1 encryption_state
       FROM  dek_encryption_state
       WHERE dek_encryption_state.database_id = DB_ID('AdventureWorksPDW2012 ')
       ORDER BY (CASE encryption_state WHEN 3 THEN -1 ELSE encryption_state END) DESC; 
GO
USE AdventureWorksPDW2012;
GO
DROP DATABASE ENCRYPTION KEY;
GO

Community Additions

ADD
Show:
© 2016 Microsoft