ALTER CRYPTOGRAPHIC PROVIDER (Transact-SQL)
Applies to: 
SQL Server
Alters a cryptographic provider within SQL Server from an Extensible Key Management (EKM) provider.
Transact-SQL syntax conventions
Syntax
ALTER CRYPTOGRAPHIC PROVIDER provider_name
[ FROM FILE = path_of_DLL ]
ENABLE | DISABLE
Note
To view Transact-SQL syntax for SQL Server 2014 (12.x) and earlier versions, see Previous versions documentation.
Arguments
provider_name
Name of the Extensible Key Management provider.
Path_of_DLL
Path of the .dll file that implements the SQL Server Extensible Key Management interface.
ENABLE | DISABLE
Enables or disables a provider.
Remarks
If the provider changes the .dll file that is used to implement Extensible Key Management in SQL Server, you must use the ALTER CRYPTOGRAPHIC PROVIDER statement.
When the .dll file path is updated by using the ALTER CRYPTOGRAPHIC PROVIDER statement, SQL Server performs the following actions:
- Disables the provider.
- Verifies the DLL signature and ensures that the .dll file has the same GUID as the one recorded in the catalog.
- Updates the DLL version in the catalog.
When an EKM provider is set to DISABLE, any attempts on new connections to use the provider with encryption statements will fail.
To disable a provider, all sessions that use the provider must be terminated.
When an EKM provider dll does not implement all of the necessary methods, ALTER CRYPTOGRAPHIC PROVIDER can return error 33085:
One or more methods cannot be found in cryptographic provider library '%.*ls'.
When the header file used to create the EKM provider dll is out of date, ALTER CRYPTOGRAPHIC PROVIDER can return error 33032:
SQL Crypto API version '%02d.%02d' implemented by provider is not supported. Supported version is '%02d.%02d'.
Permissions
Requires CONTROL permission on the cryptographic provider.
Examples
The following example alters a cryptographic provider, called SecurityProvider in SQL Server, to a newer version of a .dll file. This new version is named c:\SecurityProvider\SecurityProvider_v2.dll and is installed on the server. The provider's certificate must be installed on the server.
- Disable the provider to perform the upgrade. This will terminate all open cryptographic sessions.
ALTER CRYPTOGRAPHIC PROVIDER SecurityProvider
DISABLE;
GO
- Upgrade the provider .dll file. The GUID must the same as the previous version, but the version can be different.
ALTER CRYPTOGRAPHIC PROVIDER SecurityProvider
FROM FILE = 'c:\SecurityProvider\SecurityProvider_v2.dll';
GO
- Enable the upgraded provider.
ALTER CRYPTOGRAPHIC PROVIDER SecurityProvider
ENABLE;
GO
See Also
Extensible Key Management (EKM)
CREATE CRYPTOGRAPHIC PROVIDER (Transact-SQL)
DROP CRYPTOGRAPHIC PROVIDER (Transact-SQL)
CREATE SYMMETRIC KEY (Transact-SQL)
Extensible Key Management Using Azure Key Vault (SQL Server)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for