Error message when you run the ALTER SERVICE MASTER KEY REGENERATE statement in SQL Server 2005: "The current master key cannot be decrypted" (914261)


The information in this article applies to:

  • Microsoft SQL Server 2005 Standard Edition
  • Microsoft SQL Server 2005 Workgroup
  • Microsoft SQL Server 2005 Developer Edition
  • Microsoft SQL Server 2005 Enterprise Edition

SYMPTOMS

When you run the ALTER SERVICE MASTER KEY REGENERATE Transact-SQL statement in Microsoft SQL Server 2005, you may receive the following error message:
The current master key cannot be decrypted. If this is a database master key, you should attempt to open it in the session before performing this operation. The FORCE option can be used to ignore this error and continue the operation but the data encrypted by the old master key will be lost.

CAUSE

This problem occurs because there is no existing service master key for the instance of SQL Server 2005. The ALTER SERVICE MASTER KEY statement is used to change a service master key that already exists. If the service master key does not already exist, the server returns an error. The REGENERATE option tells SQL Server to re-create the service master key. Before the server creates a new service master key, the server must first use the old service master key to decrypt all the keys that were encrypted by using the old service master key. The server then creates a new service master key and uses it to encrypt the decrypted keys. If there is no service master key, SQL Server cannot complete the regeneration process, and you may receive the error message.

WORKAROUND

Warning Only use the following workaround if no service master key has ever been created for the instance of SQL Server 2005.

To work around this problem, add the FORCE option to the ALTER SERVICE MASTER KEY REGENERATE Transact-SQL statement. The FORCE option causes the key regeneration process to continue even if the process cannot retrieve the current master key.

STATUS

This behavior is by design.

MORE INFORMATION

The service master key is automatically generated the first time that it must be used to encrypt a linked server password, a credential, or a database master key. Therefore, an instance of SQL Server 2005 may not have a service master key.

REFERENCES

For more information about the service master key, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/ms189060.aspx

For more information about the ALTER SERVICE MASTER KEY REGENERATE Transact-SQL statement, visit the following MSDN Web site:

http://msdn2.microsoft.com/en-us/library/ms187788.aspx

Modification Type:MajorLast Reviewed:3/8/2006
Keywords:kbsql2005engine kbExpertiseAdvanced kbtshoot kbprb KB914261 kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.