| title | Set Up an Encrypted Mirror Database | Microsoft Docs | |||||
|---|---|---|---|---|---|---|
| ms.custom | ||||||
| ms.date | 03/06/2017 | |||||
| ms.prod | sql | |||||
| ms.prod_service | high-availability | |||||
| ms.reviewer | ||||||
| ms.suite | sql | |||||
| ms.technology | high-availability | |||||
| ms.tgt_pltfrm | ||||||
| ms.topic | conceptual | |||||
| helpviewer_keywords |
|
|||||
| ms.assetid | 7329a575-be29-46e0-abc6-1344db37920c | |||||
| caps.latest.revision | 24 | |||||
| author | MikeRayMSFT | |||||
| ms.author | mikeray | |||||
| manager | craigg |
[!INCLUDEappliesto-ss-xxxx-xxxx-xxx-md] To enable automatic decryption of the database master key of a mirror database, you must provide the password used to encrypt the master key to the mirror server instance. [!INCLUDEssVersion2005] and later versions include mechanisms to transfer the password. Use sp_control_dbmasterkey_password to create a credential for the database master key before you start database mirroring. You must repeat this process for every database that will be mirrored. For more information, see sp_control_dbmasterkey_password (Transact-SQL).
Caution
Do not enable failover decryption of a database that must remain inaccessible to sa and other highly privileged server principals. You can configure a database so that its key hierarchy cannot be decrypted by the service master key. This option is supported as a defense-in-depth for databases that contain information that should not be accessible to sa or other highly privileged server principals. Enabling failover decryption of such a database removes this defense-in-depth, enabling sa and other highly privileged server principals to decrypt the database.
sp_control_dbmasterkey_password (Transact-SQL)
CREATE MASTER KEY (Transact-SQL)
ALTER MASTER KEY (Transact-SQL)
Encryption Hierarchy
Setting Up Database Mirroring (SQL Server)