Disabling TDE on AlwaysOn database
-
07-01-2021 - |
Вопрос
Which are the correct steps to disable (not removing) TDE
on a AlwaysOn
database in an availability group?
I found steps for removing TDE
but that involves removing the availability group and disabling the AlwaysOn
relationship. I hope this is only for removing at all the TDE
configuration.
Решение
To disable TDE you must first remove the candidate database from the Availability Group - the group itself however does not need to be dropped.
To do this, the following code is needed:
USE [master];
GO
ALTER DATABASE [YourDatabase] SET HADR OFF;
GO
Once this is complete, you may then disable TDE on the PRIMARY replica:
ALTER DATABASE [YourDatabase] SET ENCRYPTION OFF;
The process of decryption is asynchronous, and can be monitored by looking at the percent_complete column in the sys.dm_database_encryption_keys DMV
One thing to note, is that although the database itself is encrypted, if you aren't careful you can end up with part of the log file still encrypted - this is only a problem if you will be dropping the encryption certificates from the offending servers, or trying to take a backup and restore this database to a server that doesn't hold this encryption certificate.