The cryptography-related preemptive waits track Windows crypto API calls, and this page covers the family:
PREEMPTIVE_OS_BCRYPTIMPORTKEY, CRYPTACQUIRECONTEXT, CRYPTIMPORTKEY, CRYPTOPS, NCRYPTIMPORTKEY, VERIFYSIGNATURE, and VERIFYTRUST.
Their customers are the engine’s encryption features: TDE key operations, backup encryption setting up its keys, Always Encrypted and column encryption key handling, EKM/HSM providers (where the import-key calls can genuinely leave the machine), and signature verification (VERIFYTRUST, VERIFYSIGNATURE) when SQL Server validates signed DLLs and CLR assemblies, including at startup.
Are They a Problem?
Rarely; key operations are infrequent and fast against local providers. Two situations give the family real duration. First, EKM and HSM integration: when keys live on external hardware or a network service (including Azure Key Vault through EKM), the import and context calls inherit that round-trip, and a slow HSM shows up here. Second, signature verification with revocation checking: VERIFYTRUST can stall on servers without internet access while Windows tries to check certificate revocation, a classic cause of slow service starts and slow assembly loads on isolated machines.
What To Do
- Map accumulation to the crypto activity: TDE operations, encrypted backup windows, EKM usage, service or CLR startup.
- For HSM/EKM latency, measure the provider from the host; the fix is in that infrastructure.
- For revocation stalls on offline servers, apply Microsoft’s guidance on disabling the relevant network retrieval, a Windows setting, deliberately made.
How To See It
Rank waits with Get-WaitStatistics; occurrences pair with encryption features and verification events rather than steady workload.
Part of the SQL Server Wait Types Library.
Related deep dive: SOS_SCHEDULER_YIELD Wait Type.
Leave a Reply