Post reply

Enabling TDE on a mirrored database

  • April 30, 2018 at 11:12 am

    #330667

    I've just enabled TDE on the principal but forgot to create the master key and restore the certificate to the mirror before enabling TDE 🙁
    The encryption state moved from 0 (Not Encrypted) to 1 (Unencrypted) and then stuck there.
    At the same time, I got these errors in the principal error log:
      04/30/2018 16:44:29,spid18s,Unknown,Database mirroring will be suspended. Server instance '<instance name>' encountered error 33111<c/> state 3<c/> severity 16 when it was acting as a mirroring partner for database '<dbname>'. The database mirroring partners might try to recover automatically from the error and resume the mirroring session. For more information<c/> view the error log for additional error messages.
      04/30/2018 16:44:29,spid18s,Unknown,Error: 1454<c/> Severity: 16<c/> State: 1.
      04/30/2018 16:44:29,spid18s,Unknown,Cannot find server certificate with thumbprint '0x785D30307A4D636FAB58DC85EA6758E498CB7DEF'.
      04/30/2018 16:44:29,spid18s,Unknown,Error: 33111<c/> Severity: 16<c/> State: 3.
    I then created the master key and restored the certificate to the mirror and resumed mirroring successfully:
      04/30/2018 17:49:06,spid18s,Unknown,Database mirroring is active with database '<dbname>' as the mirror copy. This is an informational message only. No user action is required.
    However, attempting to enable TDE on principal again, I'm still stuck at 1(Unencrypted).

    Any ideas please?

  • May 1, 2018 at 1:36 am

    #1988724

    Should anyone search and find this post.

    I ran set encryption on about 10 times and the encryption state remained at 1. Fortunately just for heck of it I ran the command one more time and the db started encrypting.

    I think if you get into this state and can't kill all the connections just be very very patient don't to anything drastic for the first 30mins or so and keep trying. I'd say the moral of this story is even is you are context switching over worked and pulled this way and that. Have a checklist of steps to tick off before you start. Anyway thank goodness the encryption started and indeed completed. That was seriously stressful.

    ALTER DATABASE <dbname>
    SET ENCRYPTION ON;

  • May 7, 2018 at 10:24 pm

    #1989613

    Glad it worked. I'd say undo the setup and restore the cert, then setup again. It's not that complicated. It is stressful though.

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply