About DEK rotation and log backup in Transparent Database Encryption (TDE)

Published Mar 23 2019 11:11 AM 328 Views
First published on MSDN on Jan 26, 2009

Regarding the DEK rotation in TDE, after a DEK has been rotated twice, a log backup must be performed before the DEK can be modified again, otherwise in the third time of rotation the following error message will be popped up:

This command requires a database encryption scan on database 'user_db' . However, the database has changes from previous encryption scans that are pending log backup. Take a log backup and retry the command.

However, if the log backup chain hasn’t been established then you will not see this error. The first full backup establishes the log backup chain.

On the other hand if you don’t want to take log backups and still be able to rotate the DEK as many times as you want, the solution is to alter database using SIMPLE recovery model, since log backups are disallowed in SIMPLE recovery model.

Version history
Last update:
‎Mar 23 2019 11:11 AM
Updated by: