Offer Offer

News We Recently Launched AD Migrator and AD Reporter.

SQL Remove Encryption – Get Rid of Transparent Data Encryption

  author
Written By Andrew Jackson
Anuraag Singh
Approved By Anuraag Singh
Published On November 18th, 2024
Reading Time 11 Minutes Reading

SQL Server remove encryption from Database

Synopsis: This article is going to help users find effective solutions for SQL remove encryption from database tasks. There are both manual & automated methods present but users need to make wise selections based on their technical knowledge, expertise, requirements, etc. With the right knowledge, users can easily fix cannot disable database encryption while an encryption, decryption, or key change scan is in progress error. 

Transparent Database Encryption is undoubtedly one of the most appreciated features of SQL server databases. It enables users to protect their data to the utmost level. However, there are scenarios when users want to change their encryption methods due to several reasons.

In such cases, they need to remove SQL encryption from database, column, stored procedure, triggers, & other data objects. To transform the encryption solution, users first need to decrypt the existing encryption.

To understand how to disable database encryption in SQL Server, we are first going to look at the automated solution that can provide users with a detailed solution in quick steps. Then, they can move to the manual solution if still required. Although IT experts, trusted users & MVPs themselves opt for the much better-advanced solution.

Before we proceed further, let’s have a look at the reasons for removing the encryption from the SQL database:

  • For taking backup of the SQL database without hassles.
  • Ease of sending database copies to other departments.
  • Changing the encryption pattern for higher security.
  • Performance issues with existing encryption.
  • Other miscellaneous reasons.

Pre-Requisites for SQL Remove Encryption

Now, before we dive straight into the solutions, we need to make sure that we are well aware of the prerequisites. We are going to explain both complex manual methods & advanced automated solutions. Therefore, the prerequisites of both solutions are mentioned here.

Advanced Automated Solution Pre-Requisites:

  • Microsoft .NET Framework 4.5 or above should be installed.
  • Must run the Application with “Run as Administrator” option.
  • DAC connection must be enabled prior to the decryption task.
  • The MS SQL Server should be installed on the Users’ system.

Complex Manual Solution Pre-Requisites:

  • Take the Master Key and Certificates backup. Store them safely in a separate location to befor SQL Server remove encryption from Stored Procedure, table, etc.
  • Don’t try to remove the certificate in case it’s common for multiple databases & you are trying to remove encryption for just one or selective.
  • Avoid removing the Master Key & Certificates in case the requirement is to only remove TDE temporarily. Instead, try turning it off & on as needed using ALTER.
  • Clean your database & delete unwanted data files. It will reduce the TDE scan time during the decryption process to a great extent.
  • Don’t forget to run a complete database backup prior to starting the operation as it can help users in case of corruption or data loss.
  • This task can take a longer duration. Hence, always schedule the operation for odd hours or non-business hours. This also helps in reducing the load on the database.

Also Read: View Database with MDF File Opener without SQL Server

SQL Server Remove Encryption from Database Step by Step

Firstly, we’re going to learn the advanced automated solution as users are searching for an advanced & reliable solution. For this, we are using the user-trusted and expert-recommended SysTools SQL Decryptor software.

Download Now Purchase Now

Download the automated and then the tool must go through the pre-requisites of the automated solution first. Now, follow the quick & easy five simple steps mentioned below to get the expected results with ease.

  1. Launch the Tool in your system after installation & Click on Start button.start SQL remove encryption
  2. Select the SQL Server Name or Enter it Manually to proceed further.select database
  3. Preview the SQL Database Records and Click the Next button.preview objects
  4. Select the Export Options & the Database Objects required.select database objects
  5. Click on Export to finish SQL Server Remove Encryption.Hit the export button

That’s it. All the encrypted files are now decrypted without executing any manual commands. Yes, this is the easiest solution for SQL remove encryption from database. These simple steps are what make this tool best for users in comparison with the complex manual solution.

Now, if users are still interested to know the manual solution, they can learn it from below. Must know the order to execute this task manually:

  1. Turn off TDE on the SQL Database.
  2. Drop the database encryption key.
  3. Drop certificate for the master database.
  4. Drop the master key at the end to finish.
Also Read: How to Repair SQL Database Command with Ease

Step 1. Turn Off Transparent Database Encryption (TDE)

First of all, check if the TDE is enabled on your preferred database or not. If it is not disabled, then users can disable TDE SQL Server easily. Then we can proceed with the operation. For this, run the below-mentioned command followed by other commands, until we learn how to disable database encryption in SQL Server easily:

----Check if TDE is turned on forthe selected SQL Server Instance

SELECT DB_Name(Id_of_Database) As [Database_Name, Encryption_State, Encryption_State_Desc
FROM sys.dm_database_encryption_keys
GO
SELECT name, is_encrypted
FROM sys.databases
Go

check SQL remove encryption

Now, simply run the below-mentioned ALTER command:

-- Replace “TDE_DB” with the destination user database name

USE master;
GO
ALTER DATABASE TDE_DB SET ENCRYPTION OFF;
GO

In the case of a large-sized database, this command may take some time to provide results. This is why always execute this during odd or off business hours.

unencrypted

After the completion, users can see their TDE database as UNENCRYPTED. On the other hand, we can clearly see that the Temp_DB is still encrypted. In the case of a large database, it can also show DECRYPTION IN PROGRESS status.

In case users are not interested in SQL remove encryption for keys & certificates, they can restart the SQL Server Service which will execute SQL Server disable encryption from Temp_DB. As shown in the image, users can get an idea:

temp_db

Now we are aware of the fact that sys.dm_database_encryption_keys are still showing an entry for the database “TDE_DB” as unencrypted. This is happening because the keys are not completely removed. Moreover, it means that the associated database encryption key is still there. Let’s learn to drop this key further to execute SQL Server remove encryption from Database, Stored Procedure, and columns.

Step 2. Drop the Encryption Key for Database

The very second step for users is to drop the Encryption Key to proceed further. This is why they need to execute the following command in their database:

-- To Drop Database Encryption key

USE TDE_DB;
GO
DROP DATABASE ENCRYPTION KEY;
GO

Now, the results of drop encryption key SQL Server are like this:

drop encryption key

Now, we can see that the encryption key for the database is dropped successfully. It’s time we see the TDE status again to cross-verify if it is still there in the DMV output or not.

TDE status

Here, we can clearly see that we succeeded in SQL Server removing encryption from Column, stored procedures, etc. in the database by dropping the key.

However, now, moving forward, we know that some of the associated files are still present in the Master database file. In order to remove TDE entirely from the database system, we need to clean it all. Let’s learn this as well.

Step 3. Drop TDE Certificate for Master Database

Now, we will learn to drop TDE certificate SQL Server with ease for sure. Now, in order to drop the TDE certificate, users must execute the following command:

-- Drop the Certificate

USE master
Go
DROP CERTIFICATE TDE_DB_Cert;
Go

After executing the command, we can say that now we have dropped the certificate. Now, it’s time for us to check the status again to cross-verify. For this we have mentioned the below image: 

finish

In the above image, we can’t see the TDE_Cert under the certificates folder. Simply means that we dropped the certificates successfully without any errors. For more information about the SQL Server delete certificate steps, users can get assistance from Microsoft.

Now, we can proceed further to finally complete the process for SQL remove encryption by removing the Master Key. Let’s complete the task without any hassles.

Step 4. Drop the Master Key Finally

The use of the master key is to primarily safeguard the certificates in association with the TDE. Now, that we want to remove the TDE completely, there is no need for this master key. Therefore, let’s follow the below command as it is:

-- Drop the Master Key

USE master
Go
DROP MASTER KEY;
GO

Finally, with this step, users are done with SQL Server remove encryption from Column, triggers, stored procedures, etc. in the database. Now, they can see that the cannot disable database encryption while an encryption, decryption, or key change scan is in progress is resolved. Well, this is indeed a hectic task in comparison to the automated one.

Now, restart the SQL Server services to get everything back to normal. Also, must run a complete backup of your fresh unencrypted database. This will make sure that users now possess a healthy database without a key or certificate encryptions.

Infographic Tips to Remove SQL Encryption

drop TDE certificate SQL Server

Limitations of SQL Server Disable Encryption Operation

The manual solution is not as simple as it looks like. It has several drawbacks present in it. These shortcomings make this solution quite unfavourable for the users trying to get a smooth one shot solution. These drawbacks are:

  • No Guaranteed Results: The manual solution does not provide any guarantee to users for getting their expected results as it is quite unstable. However, in most cases, users execute mistakes but it is not considered reliable.
  • Lacks Advanced Features: Users should not expect any of the advanced features here in this solution. It is only capable of executing the basic commands. For even slight changes in the results, users need to modify their commands.
  • Requires High Technicalities: To learn how to disable tde in SQL Server database, users need to be aware of the SQL Server technicalities in depth. Beginner users may find it difficult & might end up messing up the situation.
  • Time Consuming: The manual solution is excessively inefficient and it often consumes more time than it should. Therefore, it simply wastes time resources & makes the operation costs higher than usual.
  • Contain Risk Factors: There are plenty of risk factors present in this method. It is observed most often that users end up corrupting their data files or losing the entire data due to any false step by accident.

Conclusion

Finally, now users are well aware of the process for SQL remove encryption from Database tasks. Both methods work but with different paces, features, benefits, & ease. For a simplified solution, the automated tool plays a major role. This is why even experts trust this. Evidently, it saves plenty of their time as well.

In a nutshell, the manual solution is for the worst cases. Overall, the automated one is recommended as it has modern features, interactive GUI, faster operations, & better results.

Frequently Asked Questions

Q-1. How to disable database encryption in SQL Server if users know only a few commands?

Ans: If users are aware of a few commands, they can grasp the remaining ones. However, if users are not aware of any commands, they can simply opt for the automated solution.

Q-2. How do I turn off forced encryption in SQL Database?

Ans: Follow the below steps to disable server-side encryption using SQL Server configuration manager:

  1. Go to SQL Server Configuration Manager
  2. Right Click Protocols > Properties
  3. Select No in I remove the certificates option
  4. Click on Ok to finish.

Q-3. Can we drop the encryption key SQL Server automatically?

Ans: No, to execute the procedure manually, users need to execute all four steps manually. Otherwise, they can execute the entire operation automatically. There is no way that they can execute one single manual step of dropping the encryption key automatically.

Q-4. Is it possible to remove encryption in MySQL the same way as MS SQL?

Ans: No, there is a separate procedure to do so as MySQL is a different database server.

  author

By Andrew Jackson

I am SQL DBA and SQL Server blogger too. I like to share about SQL Server and the problems related to it as well as their solution and also I do handle database related user queries, server or database maintenance, database management, etc. I love to share my knowledge with SQL Geeks.