set-up-an-encrypted-mirror-database.md

title	Set Up an Encrypted Mirror Database | Microsoft Docs
ms.custom
ms.date	03/06/2017
ms.prod	sql-server-2016
ms.reviewer
ms.suite
ms.technology	dbe-high-availability
ms.tgt_pltfrm
ms.topic	article
helpviewer_keywords	cryptography [SQL Server], database mirroring encryption [SQL Server], database mirroring database master key [SQL Server], database mirroring mirror database [SQL Server] database mirroring [SQL Server], security
ms.assetid	7329a575-be29-46e0-abc6-1344db37920c
caps.latest.revision	24
author	MikeRayMSFT
ms.author	mikeray
manager	jhubbard
ms.workload	Inactive

Set Up an Encrypted Mirror Database

To enable automatic decryption of the database master key of a mirror database, you must provide the password used to encrypt the master key to the mirror server instance. [!INCLUDEssVersion2005] and later versions include mechanisms to transfer the password. Use sp_control_dbmasterkey_password to create a credential for the database master key before you start database mirroring. You must repeat this process for every database that will be mirrored. For more information, see sp_control_dbmasterkey_password (Transact-SQL).

Caution

Do not enable failover decryption of a database that must remain inaccessible to sa and other highly privileged server principals. You can configure a database so that its key hierarchy cannot be decrypted by the service master key. This option is supported as a defense-in-depth for databases that contain information that should not be accessible to sa or other highly privileged server principals. Enabling failover decryption of such a database removes this defense-in-depth, enabling sa and other highly privileged server principals to decrypt the database.

See Also

sp_control_dbmasterkey_password (Transact-SQL)
CREATE MASTER KEY (Transact-SQL)
ALTER MASTER KEY (Transact-SQL)
Encryption Hierarchy
Setting Up Database Mirroring (SQL Server)