Troubleshooting

Problem / issue Suggested diagnosis / solution

Problem / issue	Suggested diagnosis / solution
When you attempt to register the SQLEKM provider, an error message in Microsoft SQL Server Management Studio similar to the following is returned - Msg 33029, Level 16, State 1, Line 1 Cannot initialize cryptographic provider. Provider error code: 1. (Failure - Consult EKM Provider for details)	The Security World has become corrupted or unusable. You may not have correct permissions to use the Security World directory. If using a fail-over cluster with nShield Connects similar to the example shown, you will require both remote and shared directory permissions on the RFS host. If using a cluster with an RFS, make sure you have set the `%NFAST_KMLOCAL%` variable as a system variable, and not as a local variable.
Microsoft SQL Server Management Studio displays a message stating that a session could not be opened for the SQLEKM provider.	There is either no smart card in the card reader, or an incorrect smart card in the card reader. Alternatively, the wrong OCS name or passphrase has been entered into the credentials. If setting up or managing the TDE encryption keys, you must use the same OCS or softcard for your login credential as used for the `tdeCredential` to be created.
Microsoft SQL Server Management Studio displays a message stating that the key type property of the key returned by the SQLEKM provider does not match the expected value.	An attempt was made to create an asymmetric or a symmetric key with an unsupported algorithm.
After loss of communication with a remote HSM all database queries fail with an error.	Communications between the SQL Server and SQLEKM provider have failed to re-establish after loss. Restart the MS SQL Server. (You may need administrator privileges to do this.)
When viewing data in a table that is expected to be visibly encrypted or decrypted, the data is displayed as NULL.	You may be attempting to encrypt/decrypt data that requires a key you do not have permission to use under your current credential. You have not inserted an operator card, or you have the wrong operator card. You are attempting to view data in an unsuitable format.
You are using a AlwaysOn availability group and you see that a database is marked as (Not synchronizing/Recovery pending)	Possible causes are a permissions problem in accessing a database, or a secondary replica has not been successfully updated following changes to the primary. If you have recently altered your login credentials, check the credentials are correct, then restart the SQL Server instance that is not synchronized. If you think a replica has not updated correctly, try: Running the script Resynchronizing in an availability group in T-SQL shortcuts and tips. Update the database from the latest backup log.

When you attempt to register the SQLEKM provider, an error message in Microsoft SQL Server Management Studio similar to the following is returned -

Msg 33029, Level 16, State 1, Line 1 Cannot initialize cryptographic provider. Provider error code: 1. (Failure - Consult EKM Provider for details)

The Security World has become corrupted or unusable.

You may not have correct permissions to use the Security World directory. If using a fail-over cluster with nShield Connects similar to the example shown, you will require both remote and shared directory permissions on the RFS host.

If using a cluster with an RFS, make sure you have set the %NFAST_KMLOCAL% variable as a system variable, and not as a local variable.

Microsoft SQL Server Management Studio displays a message stating that a session could not be opened for the SQLEKM provider.

There is either no smart card in the card reader, or an incorrect smart card in the card reader. Alternatively, the wrong OCS name or passphrase has been entered into the credentials.

If setting up or managing the TDE encryption keys, you must use the same OCS or softcard for your login credential as used for the tdeCredential to be created.

Microsoft SQL Server Management Studio displays a message stating that the key type property of the key returned by the SQLEKM provider does not match the expected value.

An attempt was made to create an asymmetric or a symmetric key with an unsupported algorithm.

After loss of communication with a remote HSM all database queries fail with an error.

Communications between the SQL Server and SQLEKM provider have failed to re-establish after loss. Restart the MS SQL Server. (You may need administrator privileges to do this.)

When viewing data in a table that is expected to be visibly encrypted or decrypted, the data is displayed as NULL.

You may be attempting to encrypt/decrypt data that requires a key you do not have permission to use under your current credential.

You have not inserted an operator card, or you have the wrong operator card.

You are attempting to view data in an unsuitable format.

You are using a AlwaysOn availability group and you see that a database is marked as (Not synchronizing/Recovery pending)

Possible causes are a permissions problem in accessing a database, or a secondary replica has not been successfully updated following changes to the primary.

If you have recently altered your login credentials, check the credentials are correct, then restart the SQL Server instance that is not synchronized.

If you think a replica has not updated correctly, try:

Running the script Resynchronizing in an availability group in T-SQL shortcuts and tips.
Update the database from the latest backup log.