Search Knowledge Base
KB #240102: Encrypted Databases not accessible (Recovery Pending, Suspect)
Your encrypted SQL databases are not accessible after you have started SQL Server. They are in Suspect or Recovery Pending mode. There are numerous reasons this might be the case. This article lists some myriad reasons and how to diagnose and resolve.
You have encrypted your database, but you are not able to access it via SQL Server. You will typically see either “Torn Page..” error or a “I/O inconsistency..” error when SQL has tried to load the encrypted database. In SQL Management Studio, the database has Suspect or Recovery Pending status. Below are some of the reasons that you might not be able to access the encrypted databases.
If you have installed the Encryptionizer API’s, you can test if the keys are being delivered to the SQL instance.
A result > 0 is expected. If you receive a result of 0, the below are some of the possible reasons:
- The SQL instance is not secured or has not been restarted since you secured the instance. You can run the Administration Wizard to determine the Secured state of a SQL instance. If the state of the SQL instance says “Unsecured”, you must run the Admin Wizard to set the Encryptionizer server key(s) and options. If the state says “Secured/Restart”, you must restart the SQL instance in order for the Encryptionizer keys to load.
- The database was encrypted with a key that does not match one of the keys entered in the Administration Wizard when you secured the SQL instance. In order for a SQL instance to load an encrypted database, the key with which you encrypted the database must match exactly one of the keys entered in the Admin Wizard – algorithm, key length and passphrase. If the encrypted database does not match the Admin Wizard keys, Encryptionizer cannot open the encrypted database file and SQL cannot recognize the database files as valid. Use the fn_n_codelvl Encryptionizer API to determine if you have a match. More information can be found in the Whole Database User Guide (PDF) installed with your software (found in the install directory)
- Your Registration key has expired or is invalid. If the Encryptionizer Registration key is not valid (it may be a temporary or evlauation registration key) the Encryptionizer drivers will not load and your encrypted databases are not accessible. If you run the reg3.exe or reg2.exe program found in your NetLib install directory, it will display the registration key name. If it has the words “Temp” or “Exp” in it, it is likely an expiring registration key. If you start the NetLib Main Menu program, you will be presented with an expired registration key message. These are all tips that you registration key may have expired. Contact tech support for a new Temporary Registration key or information on how to request a Permanent Registration key for your installation.
- The NetLib Key Management Service is not running. You will find this service in the Services Management Console. It must be running at the time that your secured SQL instance starts or your database will not come online. If it is not running, try starting it. If it starts, restart SQL and see if your databases come online. Even if they do, this should be investigated why the service was not running in the first place.
- Database did not come online after reboot but a manual restart of the SQL instance allowed the databases to come online. Particularly on Windows 2016 or later, the NetLib Key Management Service could start later than SQL Starts, causing this symptom. See KB240119: Encrypted Databases Not Accessible After Reboot but are Accessible After Manually Restarting SQL Server
- You are using a Remote Profile (profile stored in alternate location) and there is an issue. See KB240040: Cannot start SQL Server or encrypted database is inaccessible when profile is on a remote machine
- You have specified that the Master must be encrypted when you secured the instance, but the Master is not encrypted. The Encryptionizer Key Management Service (KMS) will not deliver the encryption key to the instance unless the “master must” rule is satisfied. The Master must be encrypted and it must be encrypted with a key that matches one of the keys specified in the Admin Wizard.
240040: Cannot start SQL Server or encrypted database is inaccessible when profile is on a remote machine
240084: SQL will not start. The System cannot find the file specified
240085: SQL will not start – related articles
240086: fn_n_keycount() returns Zero, when greater than Zero expected
240091: NLCBTASK Service fails to start with error “The system cannot find the file specified”
240119: Encrypted Databases Not Accessible After Reboot but are Accessible After Manually Restarting SQL Server
Last modified: 6/6/2018