Share via

Symmetric key alter issue in SQL Server 2025

Dipak Nile 0 Reputation points
2026-06-01T14:17:15.8166667+00:00

Context: I am using SQL Server 2025 with symmetric keys protected by a certificate, and I encrypt/decrypt data using the EncryptByKey and DecryptByKey functions. I now need to migrate the symmetric key protection to Azure Key Vault. However, while implementing the encryption using Azure Key Vault for symmetric keys, I am encountering the following exception:

Command used:

OPEN SYMMETRIC KEY DAT_KEY  
   DECRYPTION BY  CERTIFICATE DB_Cert_test; 

ALTER SYMMETRIC KEY DAT_KEY    ADD ENCRYPTION BY                                                                                                               
ASYMMETRIC KEY SQLServerKeyAKV_DB_KEY;

Error:

Location:	 cmedokey.cpp:912
Expression:	 0 && "Invalid Crypto Property Type"
SPID:		 60
Process ID:	 9364
Thread ID:	 11460
Msg 3624, Level 20, State 1, Line 5
A system assertion check has failed. Check the SQL Server error log for details. Typically, an assertion failure is caused by a software bug or data corruption. To check for database corruption, consider running DBCC CHECKDB. If you agreed to send dumps to Microsoft during setup, a mini dump will be sent to Microsoft. An update might be available from Microsoft in the latest Service Pack or in a Hotfix from Technical Support.
Msg 596, Level 21, State 1, Line 4
Cannot continue the execution because the session is in the kill state.
Msg 0, Level 20, State 0, Line 4
A severe error occurred on the current command.  The results, if any, should be discarded.

I think this might be a issue with SQL Server 2025 , becuase this is working fine is old SQL versions.Already ruled out:

  • AKV wrap request succeeds (visible/successful on the Key Vault side).
  • [If run] DBCC CHECKDB clean — not corruption.
SQL Server Database Engine
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erland Sommarskog 134.6K Reputation points MVP Volunteer Moderator
    2026-06-01T21:16:08.7766667+00:00

    That type of error message is always a bug in SQL Server. It may be due to a user error, but a user error should result in a proper error and not an system assertion check. (An assertion check is a check that a programmer puts into the code with the meaning "This condition better be true at this point, or else we no longer know what we are doing". So if the condition is false, they abort execution to prevent further damage.)

    The first thing is to check that you have the most recent Cumulative Update, which is CU5, installed. If you have not, it could be a known issue which has been fixed.

    If you still get this error message with CU5, you should open a support case. You may be charged initially, but since this is a bug, you should be refunded in the end.

    Was this answer helpful?

  2. AI answer

    2026-06-01T14:17:35.2+00:00

    This behavior is consistent with a product defect rather than a misuse of the T‑SQL syntax.

    From the documented behavior of symmetric keys and ALTER/OPEN operations:

    • ALTER SYMMETRIC KEY is the correct mechanism to add a new encryption protector (certificate, asymmetric key, or password) to an existing symmetric key, and it supports ASYMMETRIC KEY as an encryptor.
    • OPEN SYMMETRIC KEY correctly requires that any key used to encrypt the symmetric key (certificate/asymmetric key) be opened or otherwise available first.
    • The error text shows an internal assertion in SQL Server (Invalid Crypto Property Type in cmedokey.cpp), which is not a user-correctable error and typically indicates a bug in the engine when handling a particular crypto configuration.
    • DBCC CHECKDB being clean and the fact that the same pattern works on earlier SQL Server versions further supports that this is not data corruption or a T‑SQL usage issue.

    Given that:

    1. The T‑SQL pattern is supported and aligns with the documented ALTER/OPEN SYMMETRIC KEY semantics.
    2. The assertion is an internal engine failure, not a normal runtime error.
    3. There is no documented restriction in the provided material that would make this ALTER operation invalid.

    The next step is to treat this as a SQL Server 2025 defect and engage Microsoft Support so that the crash dump and environment details can be analyzed and a fix or workaround can be provided.

    Recommended actions:

    1. Preserve evidence
      • Keep the SQL Server error logs and any dump files generated for the assertion.
      • Capture the exact T‑SQL script, key definitions (CREATE SYMMETRIC KEY / CREATE ASYMMETRIC KEY / AKV provider configuration), and database compatibility level.
    2. Log a support case with Microsoft
      • Open a support ticket and provide:
        • SQL Server 2025 build number.
        • Repro steps (including the ALTER SYMMETRIC KEY statement and how the AKV-backed asymmetric key is configured).
        • Error log and dump file for the assertion.
    3. Interim workaround options (until a fix is available)
      • If possible in the environment, keep using the existing certificate-based protection for the symmetric key (no ALTER) while planning the migration.
      • Alternatively, create a new symmetric key directly protected by the AKV-backed asymmetric key and migrate encrypted data to use the new key, instead of altering the existing key. This avoids the specific ALTER path that is triggering the assertion.

    Because the assertion is engine-internal and not covered by configuration guidance in the available documentation, a code fix or hotfix from Microsoft will likely be required for a permanent resolution.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.