SQL Server Security

How To Encrypt Drives On Live SQL Server With AlwaysOn

Updated
3 min read
Written by
Mark Varnas

Encrypting drives for AlwaysOn

To encrypt drives for AlwaysOn, I would suggest these steps:

  1. Do encryption during low usage hours.
  2. Encrypt drives on the SECONDARY first without taking AlwaysOn offline.
    Perform this during a low-usage time slot.
  3. Encrypt one drive at a time.
  4. Give it a bit of time for the IO to catch up.

I’d wait 10-15 minutes after each drive encryption completes before starting a new one. This may be overkill, but maybe not, considering we do this in a live PRODUCTION environment.

  1. Repeat the same steps for the PRIMARY AlwaysOn node.

Several options are available for encrypting drives on PRIMARY

Option 1

Failover AlwaysOn to SECONDARY, and encrypt drives then. Just as described above.

Option 2

I don’t think AlwaysOn failover is a must for drive encryption.

It may be safe to simply encrypt on PRIMARY.

Just pay attention to the latencies of SQL operations. And how long SPIDs are taking.

Start with the smallest drive or least active drive.

I think there may be a good chance this will go fairly unnoticed by SQL Server.

Option 3

  1. Encrypt volumes on SECONDARY.
  2. Then set AlwaysOn to asynchronous-commit (currently it’s in synchronous-commit).
    Perform the steps as described above.
  3. When complete, set AlwaysOn back to synchronous-commit.

Your workload is quite heavy. On some days, your PRIMARY is spewing out 800MB worth of logs in 5min.

So if PRIMARY gets affected for too long – there is a good chance this will cause issues.

AlwaysOn dashboard.

Use it to make sure AlwaysOn is good.

There you can see AlwaysOn in two statuses:

  1. Synchronizing – which means, if you failover, you may have data loss. And there is no auto-failover at this point.
  2. Synchronized – which means both replicas are caught up. All good. And auto-failover is ready to kick in if needed.

If you are trying to encrypt *all* drives for compliance with SOC2 or similar regulations and need to encrypt quorum drives – you can.

Nothing special about this drive.

I would just encrypt without any special steps.

Article by
Mark Varnas
Founder | CEO | SQL Veteran
Hey, I'm Mark, one of the guys behind Red9. I make a living performance tuning SQL Servers and making them more stable.

Leave a Comment

Managed SQL Server services, consulting, and emergency support from expert DBAs to improve performance, predictability, and cost.

Get started with Red9 today.

Contact us

Discover More

SQL Server Health Check SQL Server Migrations & Upgrades SQL Server Performance Tuning SQL Server Security SQL Server Tips

Discover what clients are saying about Red9

Red9 has incredible expertise both in SQL migration and performance tuning.

The biggest benefit has been performance gains and tuning associated with migrating to AWS and a newer version of SQL Server with Always On clustering. Red9 was integral to this process. The deep knowledge of MSSQL and combined experience of Red9 have been a huge asset during a difficult migration. Red9 found inefficient indexes and performance bottlenecks that improved latency by over 400%.

Rich Staats 5 stars
Rich Staats
Cloud Engineer
MetalToad

Always willing to go an extra mile

Working with Red9 DBAs has been a pleasure. They are great team players and have an expert knowledge of SQL Server database administration. And are always willing to go the extra mile to get the project done.
5 stars
Evelyn A.
Sr. Database Administrator

Boosts server health and efficiency for enhanced customer satisfaction

Since adding Red9 to the reporting and DataWarehousing team, Red9 has done a good job coming up to speed on our environments and helping ensure we continue to meet our customer's needs. Red9 has taken ownership of our servers ensuring they remain healthy by monitoring and tuning inefficient queries.
5 stars
Andrew F.
Datawarehousing Manager
See more testimonials