Transparent Data Encryption Preview Issues

Update (9-24-2015): All below issues have been resolved and all scenarios should be working now. We appreciate your patience and are eager for you to try all scenarios. Thank you!

As increasing numbers of customers are trying out and using our Preview of Transparent Data Encryption (TDE) for Azure SQL Database, we wanted to make you aware of a few issues some are encountering, primarily with Geo-Replication.

  1. Creating a copy of a TDE Database will result in errors using the Azure Portal or CREATE DATABASE … FROM COPY OF … syntax. We anticipate this to be fixed in the next major deployment.
  2. Terminating a Continuous Copy Relationship (or Geo-Replication) between an Active Geo-Replication Primary and Secondary database may cause the secondary database to have delayed availability issues. We are manually mitigating this issue at the moment, but you may still encounter this. If you have terminated such a relationship and are experiencing availability issues with the secondary, please go to Support in the portal and open a new support request. We anticipate this to be fixed in the next major deployment.
  3. When using TDE on a Geo-Replicated Database, trying to change the Pricing Tier will fail. To work-around this, disable Geo-Replication, change the pricing tier, and then re-enable Geo-Replication.
  4. Deleting a Geo-Replication Secondary database after deleting the primary database can get the secondary database stuck in the delete state if the Geo-Replication Primary Server is deleted before the secondary database. When the Primary Server is deleted, the TDE Certificate associated with it is also deleted. Before deletion of a database, we attempt a final backup – this can hang on the secondary database while attempting to retrieve the TDE Certificate. To avoid this, delete any secondary databases first. If you do get into this state, please go to Support in the portal and open a new support request to either a) approve us to manually delete the database or b) if it was a mistake deleting the server and databases or you anticipate the need to restore the database, request a manual restoration.
  5. Dropping a server and database and then attempting to restore the database from a time when TDE was enabled does not work automatically yet. Please do not drop the server until you are confident you do not need to restore any databases – there is no cost for Database Servers, just the databases themselves. If you do need to restore the database in this scenario, go to Support on portal.azure.net and open a new support request for us to perform a manual restore.
  6. Creating a Geo-Replica of a Geo-Replication Secondary Database, i.e., a replica of a replica, is not supported yet.

 

We anticipate that the first 2 issues will be resolved shortly – the rest of these issues will be resolved within a couple of months. Hopefully the work-arounds and our manual mitigations will be sufficient for your needs during preview – if not, please reach out to us via support. As fixes for these issues are deployed, I’ll update on this blog. Thank you for your patience during the preview of this feature.