sys.dm_database_encryption_keys (Transact-SQL)

Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance SQL database in Microsoft Fabric

Returns information about the encryption state of a database and its associated database encryption keys. For more information about database encryption, see Transparent Data Encryption (TDE).

Column Name Data Type Description
database_id int ID of the database.
encryption_state int Indicates whether the database is encrypted or not encrypted.

0 = No database encryption key present, no encryption

1 = Unencrypted

2 = Encryption in progress

3 = Encrypted

4 = Key change in progress

5 = Decryption in progress

6 = Protection change in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed.)
create_date datetime Displays the date (in UTC) the encryption key was created.
regenerate_date datetime Displays the date (in UTC) the encryption key was regenerated.
modify_date datetime Displays the date (in UTC) the encryption key was modified.
set_date datetime Displays the date (in UTC) the encryption key was applied to the database.
opened_date datetime Shows when (in UTC) the database key was last opened.
key_algorithm nvarchar(32) Displays the algorithm that is used for the key.
key_length int Displays the length of the key.
encryptor_thumbprint varbinary(20) Shows the thumbprint of the encryptor.
encryptor_type nvarchar(32) Applies to: SQL Server (SQL Server 2012 (11.x) through current version).

Describes the encryptor.
percent_complete real Percent complete of the database encryption state change. This will be 0 if there is no state change.
encryption_state_desc nvarchar(32) Applies to: SQL Server 2019 (15.x) and later.

String that indicates whether the database is encrypted or not encrypted.

NONE

UNENCRYPTED

ENCRYPTED

DECRYPTION_IN_PROGRESS

ENCRYPTION_IN_PROGRESS

KEY_CHANGE_IN_PROGRESS

PROTECTION_CHANGE_IN_PROGRESS
encryption_scan_state int Applies to: SQL Server 2019 (15.x) and later.

Indicates the current state of the encryption scan.

0 = No scan has been initiated, TDE is not enabled

1 = Scan is in progress.

2 = Scan is in progress but has been suspended, user can resume.

3 = Scan was aborted for some reason, manual intervention is required. Contact Microsoft Support for more assistance.

4 = Scan has been successfully completed, TDE is enabled and encryption is complete.
encryption_scan_state_desc nvarchar(32) Applies to: SQL Server 2019 (15.x) and later.

String that indicates the current state of the encryption scan.

NONE

RUNNING

SUSPENDED

ABORTED

COMPLETE
encryption_scan_modify_date datetime Applies to: SQL Server 2019 (15.x) and later.

Displays the date (in UTC) the encryption scan state was last modified.

Permissions

On SQL Server and SQL Managed Instance, requires VIEW SERVER STATE permission.

On SQL Database Basic, S0, and S1 service objectives, and for databases in elastic pools, the server admin account, the Microsoft Entra admin account, or membership in the ##MS_ServerStateReader## server role is required. On all other SQL Database service objectives, either the VIEW DATABASE STATE permission on the database, or membership in the ##MS_ServerStateReader## server role is required.

In Fabric SQL database, a user must be granted VIEW DATABASE STATE in the database to query this DMV. Or, a member of any role the Fabric workspace can query this DMV.

Permissions for SQL Server 2022 and later

Requires VIEW SERVER SECURITY STATE permission on the server.

See also

Security-Related Dynamic Management Views and Functions (Transact-SQL)
Transparent Data Encryption (TDE)
SQL Server Encryption
SQL Server and Database Encryption Keys (Database Engine)
Encryption Hierarchy
ALTER DATABASE SET Options (Transact-SQL)
CREATE DATABASE ENCRYPTION KEY (Transact-SQL)
ALTER DATABASE ENCRYPTION KEY (Transact-SQL)
DROP DATABASE ENCRYPTION KEY (Transact-SQL)