| title | description | author | ms.author | ms.date | ms.service | ms.subservice | ms.topic | helpviewer_keywords | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Set Up an Encrypted Mirror Database |
Learn how to enable automatic decryption of the database master key of a mirror database by using sp_control_dbmasterkey_password to create a credential. |
MikeRayMSFT |
mikeray |
03/06/2017 |
sql |
database-mirroring |
how-to |
|
[!INCLUDE SQL Server] To enable automatic decryption of the database master key of a mirror database, you must provide the password used to encrypt the master key to the mirror server instance. [!INCLUDEssVersion2005] and later versions include mechanisms to transfer the password. Use sp_control_dbmasterkey_password to create a credential for the database master key before you start database mirroring. You must repeat this process for every database that will be mirrored. For more information, see sp_control_dbmasterkey_password (Transact-SQL).
Caution
Do not enable failover decryption of a database that must remain inaccessible to sa and other highly privileged server principals. You can configure a database so that its key hierarchy cannot be decrypted by the service master key. This option is supported as a defense-in-depth for databases that contain information that should not be accessible to sa or other highly privileged server principals. Enabling failover decryption of such a database removes this defense-in-depth, enabling sa and other highly privileged server principals to decrypt the database.
sp_control_dbmasterkey_password (Transact-SQL)
CREATE MASTER KEY (Transact-SQL)
ALTER MASTER KEY (Transact-SQL)
Encryption Hierarchy
Setting Up Database Mirroring (SQL Server)