Allows key owners to drop the named encryption key.
drop encryption key [[database.[owner].]keyname
is the name of the database
is the owner
is the name of the key
Drops the encryption key cc_key
:
drop encryption key cust.dbo.cc_key
If the key has key copies, the copies are dropped along with the base key.
The command fails if any column in any database is encrypted using the key.
drop encryption key cannot check databases that are archived, suspect, offline, unrecovered, or currently being loaded for columns encrypted by the key. The command issues a warning message naming the unavailable database, but does not fail. When the database is brought online, any tables with columns that were encrypted with the dropped key are not usable. To restore the key, the System Administrator must load a dump of the dropped key’s database from a time that precedes when the key was dropped.
The key owner and the System Security Officer can drop encryption keys.
Values in event and extrainfo columns of sysaudits are:
Event |
Audit option |
Command or access audited |
Information in extrainfo |
---|---|---|---|
109 |
drop encryption key |
create encryption key, alter encryption key, sp_encryption, sp_help.