Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Msg 33111 error after SQL Server TDE certificate or key rotation


View products that this article applies to.

Symptoms

After you perform a Transparent Data Encryption (TDE) certificate or key rotation, drop the original certification, and then conduct a log backup using COMPRESSION+MAXTRANSFERSIZE, you receive the following error:

↑ Back to the top


Cause

When changing the certificate or keys, the current active Virtual Log File (VLF)—which is encrypted by the previous key—will be closed. The next available VLF (or newly created VLF) will be used and encrypted by the new certification.

At this stage, the transaction log file retains log records encrypted by the previous certificate as well as log records encrypted by new certificate.

When you conduct a log backup with COMPRESSION+MAXTRANSFERSIZE parameters, the log records that have been encrypted by the previous certificate will be decrypted and then encrypted by the new certificate, and then saved to the backup file.

Because of this, the previous certification is needed for decryption. The log backup will fail if the previous certificate does not exist.

↑ Back to the top


Resolution

Restore the previous certification and try the backup again.

↑ Back to the top


Status

Microsoft is researching this problem and will post more information in this article when the information becomes available.

↑ Back to the top


References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top


Keywords: kbSupportTopic, kbContentAuto, SQL Server 2019, SQL Server 2016, SQL Server 2014, SQL Server 2012

↑ Back to the top

Article Info
Article ID : 4534430
Revision : 8
Created on : 12/19/2019
Published on : 12/19/2019
Exists online : False
Views : 398