| title | Set Up an Encrypted Mirror Database | |||||
|---|---|---|---|---|---|---|
| description | Learn how to enable automatic decryption of the database master key of a mirror database by using sp_control_dbmasterkey_password to create a credential. | |||||
| author | MikeRayMSFT | |||||
| ms.author | mikeray | |||||
| ms.date | 03/06/2017 | |||||
| ms.service | sql | |||||
| ms.subservice | database-mirroring | |||||
| ms.topic | how-to | |||||
| helpviewer_keywords |
|
[!INCLUDE SQL Server] To enable automatic decryption of the database master key of a mirror database, you must provide the password used to encrypt the master key to the mirror server instance. [!INCLUDEssVersion2005] and later versions include mechanisms to transfer the password. Use sp_control_dbmasterkey_password to create a credential for the database master key before you start database mirroring. You must repeat this process for every database that will be mirrored. For more information, see sp_control_dbmasterkey_password (Transact-SQL).
Caution
Do not enable failover decryption of a database that must remain inaccessible to sa and other highly privileged server principals. You can configure a database so that its key hierarchy cannot be decrypted by the service master key. This option is supported as a defense-in-depth for databases that contain information that should not be accessible to sa or other highly privileged server principals. Enabling failover decryption of such a database removes this defense-in-depth, enabling sa and other highly privileged server principals to decrypt the database.
sp_control_dbmasterkey_password (Transact-SQL)
CREATE MASTER KEY (Transact-SQL)
ALTER MASTER KEY (Transact-SQL)
Encryption Hierarchy
Setting Up Database Mirroring (SQL Server)