Turning off TDE for RDS for SQL Server - Amazon Relational Database Service

Turning off TDE for RDS for SQL Server

To turn off TDE for an RDS for SQL Server DB instance, first make sure that there are no encrypted objects left on the DB instance. To do so, either decrypt the objects or drop them. If any encrypted objects exist on the DB instance, you can't turn off TDE for the DB instance. When you use the console to remove the TDE option from an option group, the console indicates that it's processing. In addition, an error event is created if the option group is associated with an encrypted DB instance or DB snapshot.

The following example removes the TDE encryption from a database called customerDatabase.

------------- Removing TDE ---------------- USE [customerDatabase] GO -- Turn off encryption of the database ALTER DATABASE [customerDatabase] SET ENCRYPTION OFF GO -- Wait until the encryption state of the database becomes 1. The state is 5 (Decryption in progress) for a while SELECT db_name(database_id) as DatabaseName, * FROM sys.dm_database_encryption_keys GO -- Drop the DEK used for encryption DROP DATABASE ENCRYPTION KEY GO -- Alter to SIMPLE Recovery mode so that your encrypted log gets truncated USE [master] GO ALTER DATABASE [customerDatabase] SET RECOVERY SIMPLE GO

When all objects are decrypted, you have two options:

  1. You can modify the DB instance to be associated with an option group without the TDE option.

  2. You can remove the TDE option from the option group.