Disabling Database Encryption - During or after Production Hours?

  • I have to disable newly implemented database encryption. It's a necessity unfortunately. Can I do this during production hours without much of a hit? I know I have to restart the instance after it's done. Can I expect performance impacts or other issues?

  • Hey Guys,

    I didn't get an answer here so I'll answer my own question for those of you who are curious. I went ahead and did the decryption last night after hours as I was worried there may be some production impacts. Fortunately there were not. Here are the steps I took with some assistance from this blog post[/url] by Steve Perry,

    1. Preemptive Setup

    a. Double checked my certificate backups

    b. Disabled transaction log backups

    c. Disabled backups

    2. Ran a backup of the database.

    3. Ran the following decryption and progress check

    USE MASTER

    GO

    ALTER DATABASE {Database Name}

    SET ENCRYPTION OFF

    GO

    SELECT * FROM sys.dm_database_encryption_keys

    4. After the database was fully decrypted, I ran a drop cert statement

    USE {Database Name}

    GO

    DROP DATABASE ENCRYPTION KEY

    GO

    5. Restarted the instance

    a. apparently, this is only necessary if the decrypted database was the only encrypted DB

    6. Ran another Backup

    7. Tested backup restore on test server

    8. Enabled T-Log backups

    9. Turned on Backups

    Thankfully, there were no issues, no job failures, etc. I'm assuming if you don't need to restart the instance that you can go ahead and run these steps without issue.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply