Microsoft KB Archive/914261

= Error message when you run the ALTER SERVICE MASTER KEY REGENERATE statement in SQL Server 2005: &quot;The current master key cannot be decrypted&quot; =

Article ID: 914261

Article Last Modified on 3/8/2006

-

APPLIES TO


 * Microsoft SQL Server 2005 Standard Edition
 * Microsoft SQL Server 2005 Workgroup Edition
 * Microsoft SQL Server 2005 Developer Edition
 * Microsoft SQL Server 2005 Enterprise Edition

-



SYMPTOMS
When you run the ALTER SERVICE MASTER KEY REGENERATE Transact-SQL statement in Microsoft SQL Server 2005, you may receive the following error message:

The current master key cannot be decrypted. If this is a database master key, you should attempt to open it in the session before performing this operation. The FORCE option can be used to ignore this error and continue the operation but the data encrypted by the old master key will be lost.



CAUSE
This problem occurs because there is no existing service master key for the instance of SQL Server 2005. The ALTER SERVICE MASTER KEY statement is used to change a service master key that already exists. If the service master key does not already exist, the server returns an error. The REGENERATE option tells SQL Server to re-create the service master key. Before the server creates a new service master key, the server must first use the old service master key to decrypt all the keys that were encrypted by using the old service master key. The server then creates a new service master key and uses it to encrypt the decrypted keys. If there is no service master key, SQL Server cannot complete the regeneration process, and you may receive the error message.



WORKAROUND
Warning Only use the following workaround if no service master key has ever been created for the instance of SQL Server 2005.

To work around this problem, add the FORCE option to the ALTER SERVICE MASTER KEY REGENERATE Transact-SQL statement. The FORCE option causes the key regeneration process to continue even if the process cannot retrieve the current master key.



STATUS
This behavior is by design.



MORE INFORMATION
The service master key is automatically generated the first time that it must be used to encrypt a linked server password, a credential, or a database master key. Therefore, an instance of SQL Server 2005 may not have a service master key.

