From 8eeb8f5995faa9f418d7df2d382c793bea529c0e Mon Sep 17 00:00:00 2001
From: Sam <772178+iamjustsam@users.noreply.github.com>
Date: Fri, 30 May 2025 15:31:15 +0200
Subject: [PATCH] Adds a section on unsupported keys to troubleshoot-tde.md

Adds a section on unsupported keys. Using an unsupported key will throw an InternalServerError without further information.
---
 .../security/encryption/troubleshoot-tde.md      | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/relational-databases/security/encryption/troubleshoot-tde.md b/docs/relational-databases/security/encryption/troubleshoot-tde.md
index ab6383116dd..6d1a2439d6c 100644
--- a/docs/relational-databases/security/encryption/troubleshoot-tde.md
+++ b/docs/relational-databases/security/encryption/troubleshoot-tde.md
@@ -185,6 +185,22 @@ Confirm that the server has permissions to the key vault and the correct permiss
 - If the server identity is present, ensure that it has the following key permissions: Get, WrapKey, and UnwrapKey.
 - If the server identity isn't present, add it by using the **Add New** button.
 
+### Wrong key format
+
+**Error message**
+
+_500 InternalServerError - An unexpected error occured while processing the request._
+
+**Detection**
+
+To identify the unsupported key in the key vault:
+
+- Use the Azure portal, go to the **Key vault** service menu > **Objects** > **Keys**, and check the key type and length.
+
+**Mitigation**
+
+Make sure that the key uses a [supported key length](/azure/azure-sql/database/transparent-data-encryption-byok-overview#requirements-for-configuring-tde-protector).
+
 ## Getting TDE status from the Activity log
 
 To allow for monitoring of the database status due to Azure Key Vault key access issues, the following events will be logged to the [Activity Log](/azure/service-health/alerts-activity-log-service-notifications) for the resource ID based on the Azure Resource Manager URL.