Uninstalling and Upgrading KeyControl and Microsoft SQL Server TDE

This section explains how to uninstall and upgrade the KeyControl Policy Agent and the VM for Microsoft SQL Server TDE.

Note: If you delete a provider login credential you will no longer be able to use it for the KeyControl SQLEKM provider.

Note: If you delete an associated KeyControl database connector you will no longer be able to use it to access the SQL Server or the KeyControl SQLEKM provider.

Note: If you unregister, uninstall or destroy the KeyControl Policy Agent client, you will no longer be able to access the data on SQL Server.

Turning off TDE and removing TDE setup

You must turn off TDE on all your databases and remove TDE setup before uninstalling KeyControl SQLEKM. Otherwise, you will not be able to decrypt any databases encrypted with TDE.

Before disabling and removing TDE encryption you are advised to back up the encrypted database (see Backing up TDE database using SQL Server Management studio ).

  1. In SQL Server Management Studio, navigate to Databases > TestDatabase.

  2. Right-click TestDatabase, then select Tasks > Manage Database Encryption….

  3. Ensure Set Database Encryption On is deselected, then click OK.

  4. Wait for the decryption process to finish. Check this by referring to Configuration .

  5. When the database has completed decryption, drop the encryption key using the following T‑SQL query:

    Copy 
    USE TestDatabase
    DROP DATABASE ENCRYPTION KEY;
    GO

  6. Restart the database instance. If you are using a database failover cluster, you may have to do this directly on the active server. In SQL Server Management Studio right click on the instance and select Restart.

  7. In SQL Server Management Studio, navigate to Security > Logins, and select the TDE login you wish to remove (for example, tdeLogin). Right-click on the selected login and select Properties.

  8. Ensure the associated credential (for example, tdeCredential) is highlighted then choose Remove. Untick the box Map to credential. Click OK.

  9. In SQL Server Management Studio, navigate to Security > Credentials, and select the same credential you previously removed from the login (for example, tdeCredential). Right-click on the credential and select Delete. In the following screen, select OK.

  10. In SQL Server Management Studio, navigate to Security > Logins, and select the TDE login you wish to remove (for example, tdeLogin). Right-click on the selected login and select Delete. In the following screen, select OK.

  11. In SQL Server Management Studio, navigate to Databases > System Databases > master >Security > Asymmetric keys. Select the key you wish to remove (for example, dbAsymWrappingKey). Right click on the key and select Delete. Alternatively, you can use the following query:

    Copy 
    USE master
    DROP ASYMMETRIC KEY dbAsymWrappingKey REMOVE PROVIDER KEY;
    GO