Disable-DbaDbEncryption

Want to see the source code for this command? Check out Disable-DbaDbEncryption on GitHub.
Want to see the Bill Of Health for this command? Check out Disable-DbaDbEncryption.

Synopsis

Disables Transparent Data Encryption (TDE) on SQL Server databases and removes encryption keys

Description

Disables Transparent Data Encryption (TDE) on specified databases by setting EncryptionEnabled to false and monitoring the decryption process until completion. Since TDE is not fully disabled until the Database Encryption Key (DEK) is removed, this command drops the encryption key by default to complete the decryption process.

This is commonly used when decommissioning databases that no longer require encryption, migrating databases to environments without TDE requirements, or troubleshooting TDE-related performance issues. The function monitors the decryption state and waits for the database to reach an "Unencrypted" state before proceeding with key removal.

Use the -NoEncryptionKeyDrop parameter if you want to disable TDE but retain the encryption key for future use, though the database will remain in a partially encrypted state until the key is manually dropped.

Syntax

Disable-DbaDbEncryption
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-SqlCredential] <PSCredential>]
    [[-Database] <String[]>]
    [[-InputObject] <Database[]>]
    [-NoEncryptionKeyDrop]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Disable-DbaDbEncryption -SqlInstance sql2017, sql2016 -Database pubs

Disables database encryption on the pubs database on sql2017 and sql2016

Example: 2

PS C:\> Disable-DbaDbEncryption -SqlInstance sql2017 -Database db1 -Confirm:$false

Suppresses all prompts to disable database encryption on the db1 database on sql2017

Example: 3

PS C:\> Get-DbaDatabase -SqlInstance sql2017 -Database db1 | Disable-DbaDbEncryption -Confirm:$false

Suppresses all prompts to disable database encryption on the db1 database on sql2017 (using piping)

Optional Parameters

-SqlInstance

The target SQL Server instance or instances.

-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

-Database

Specifies which databases to disable TDE encryption on. Accepts multiple database names as an array.
Required when using SqlInstance parameter to target specific databases instead of processing all encrypted databases on the instance.

-InputObject

Accepts database objects from Get-DbaDatabase for pipeline processing. This allows you to filter databases using Get-DbaDatabase criteria before disabling TDE.
Useful when you need to disable encryption on databases that match specific conditions like owner, compatibility level, or encryption status.

-NoEncryptionKeyDrop

Prevents the Database Encryption Key (DEK) from being automatically dropped after disabling TDE. By default, the function removes the DEK to complete the decryption process.
Use this switch when you need to retain the encryption key for future re-encryption or compliance requirements, though the database will remain in a partially encrypted state until the key is
manually removed.

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

-WhatIf

Shows what would happen if the command were to run. No actions are actually performed.

-Confirm

Prompts you for confirmation before executing any changing operations within the command.