.Net 4.6.2. Framework client driver for Always Encrypted resulting in intermittent failures to decrypt individual rows

The SQL Product team has identified an issue with .Net 4.6.2 framework client driver for Always Encrypted enabled database on SQL Server 2016 and Azure SQL Database. The issue can lead to intermittent failure while trying to decrypt the records from the Always Encrypted enabled database with following error message

Decryption failed. The last 10 bytes of the encrypted column encryption key are: ‘7E-0B-E6-D3-39-CE-35-86-2F-AA’.The first 10 bytes of ciphertext are: ’01-C3-D7-39-33-2F-E6-44-C3-B1′.Specified ciphertext has an invalid authentication tag. 

The above failure to decrypt may potentially lead to incorrect query results which in turn may trigger incorrect behavior in the app, for example, attempts to insert missing values or to perform any other updates that will either produce further errors or produce inconsistent data in the database.

The SQL Product team is aware of the issue and is actively working on the fix which may be made available soon. In the interim, we have following recommendation for the users

  • Users who are on .Net framework 4.6.1 are not impacted by this issue and can ignore this. We recommend not to upgrade to .Net framework 4.6.2 if you are using Always Encrypted database feature until the fix for the issue is released.
  • Users who have the latest version of .Net framework 4.6.2 installed, we recommend, if possible to rollback to previous version of .Net framework 4.6.1. Note: In general, you should not uninstall any versions of the .NET Framework that are installed on your computer without testing,  because the application dependent on that version can potentially break and may not function as desired.
  • If you are unable to uninstall .Net framework 4.6.2 due to application dependency, you can workaround the issue by turning off column key encryption (CEK) by setting the SqlConnection.ColumnEncryptionKeyCacheTtl property to 0 in the .Net framework 4.6.2 driver.

After uninstalling .Net framework 4.6.2 or turning off Column Encryption Key (CEK) caching, users can confirm that the error does not reappear during a table scan (e.g., SELECT * FROM < table with Always Encrypted>) executed from a query window in SSMS. Executing this scan will help validate the error doesn’t occur.

Customers who encounter the above error during the validation scan and are unable to resolve the issue, should contact sqlalwaysencrypted@microsoft.com.  The team will be able to help access and recover all previously encrypted rows that were affected by this bug. There will be no permanent data loss caused as a result of this defect.

To determine which versions of the .NET Framework are installed on a system, see How to: Determine Which .NET Framework Versions Are Installed.

Parikshit Savjani
Senior Program Manager (@talktosavjani)

Let’s block ads! (Why?)

SQL Server Release Services