Hi @Goh Chee Hong ,
When you start a SQL Server instance, the SQL Server database calls the EKM Provider software to decrypt the database symmetric key so that it can be used for encryption and decryption operations. The decrypted database key is stored in protected memory space and used by the database. The encrypted version of the database key remains on disk. In the event the system terminates abnormally, the only version of the database key is the encrypted version on disk.
More details refer to following posts.
https://www.sqlservercentral.com/articles/transparent-data-encryption-and-extensible-key-management-better-together
or
https://dba.stackexchange.com/questions/218137/tde-using-ekm-device
Here is a official document about Enable TDE on SQL Server Using EKM,please refer to this doc to check if there are any omissions in your TDE creation process.
In addition it is recommended to apply the latest SP and CU updates to your SQL Server 2017 instance to avoid any potential issues that have been fixed in the update.
If the answer is helpful, please click "Accept Answer" and upvote it.
What can I do if my transaction log is full?--- Hot issues November
How to convert Profiler trace into a SQL Server table -- Hot issues November