Assume that you regularly turn encryption on and off on a database and also regularly change the encryption keys on the database in SQL Server 2012. In this scenario, the database might not be encrypted when you turn on encryption. If you change the encryption keys, an assertion might occur.
This issue occurs because, if a database encryption key (DEK) is not in an encrypted state and the key is changed, the next update of the key copies the key part of the DEK, but it does not copy the setting the encryption state correctly.
In SQL Server 2012, after a decryption scan, the DEK in the file control block (FCB) header is kept, and the DEK is removed only when the key is dropped. When encryption is turned off, there is a key change, and then you try to turn on the encryption, the dynamic management view (DMV) shows that encryption completed. However, the encryption scan is not performed and the pages are left not encrypted.
Cumulative update information
SQL Server 2012
The fix for this issue was first released in Cumulative Update 1. For more information about how to obtain this cumulative update package for SQL Server 2012, click the following article number to view the article in the Microsoft Knowledge Base:
Cumulative Update package 1 for SQL Server 2012
Because the builds are cumulative, each new fix release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2012 fix release. We recommend that you consider applying the most recent fix release that contains this hotfix. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
The SQL Server 2012 builds that were released after SQL Server 2012 was released
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
To work around this issue, drop the encryption key every time you turn encryption off on a database.