| title | Add an encrypted database to an availability group | |||||
|---|---|---|---|---|---|---|
| description | Learn the steps to add an encrypted (or recently decrypted) database to an Always On availability group. | |||||
| author | MashaMSFT | |||||
| ms.author | mathoma | |||||
| ms.reviewer | randolphwest | |||||
| ms.date | 01/19/2024 | |||||
| ms.service | sql | |||||
| ms.subservice | availability-groups | |||||
| ms.topic | how-to | |||||
| helpviewer_keywords |
|
[!INCLUDE SQL Server]
This article contains information about the using currently encrypted or recently decrypted databases with [!INCLUDE ssHADR] in [!INCLUDE ssnoversion].
If a database is encrypted or even contains a database encryption key (DEK), you can't use the [!INCLUDE ssAoNewAgWiz] or [!INCLUDE ssAoAddDbWiz] to add the database to an availability group. Even if an encrypted database has been decrypted, its log backups might contain encrypted data. In this case, full initial data synchronization could fail on the database. This is because the restore log operation might require the certificate that was used by the database encryption keys (DEKs), and that certificate might be unavailable.
To make a decrypted database eligible to add to an availability group using the wizard:
- Create a full database backup of the primary database.
- Create a log backup of the primary database.
- Restore the database backup on the server instance that hosts the secondary replica.
- Restore the log backup on the secondary database.