---
title: "Threat and Vulnerability Mitigation (Replication) | Microsoft Docs"
ms.custom: ""
ms.date: "03/07/2017"
ms.prod: sql
ms.prod_service: "database-engine"
ms.reviewer: ""
ms.technology: replication
ms.topic: conceptual
helpviewer_keywords: 
  - "attacks [SQL Server replication]"
  - "threats [SQL Server replication security]"
  - "security [SQL Server replication], threats"
  - "security threats [SQL Server replication]"
ms.assetid: 314fe497-56d8-4192-98e9-21b87cf8db04
author: "MashaMSFT"
ms.author: "mathoma"
monikerRange: "=azuresqldb-mi-current||>=sql-server-2016||=sqlallproducts-allversions"
---
# Threat and Vulnerability Mitigation (Replication)
[!INCLUDE[appliesto-ss-asdbmi-xxxx-xxx-md](../../../includes/appliesto-ss-asdbmi-xxxx-xxx-md.md)]
  This topic describes techniques to reduce threats to a replication topology.  
  
## Encryption  
 Encryption is the process of converting data into a form that cannot be read without a special key, so that only the intended recipient can read the data. Replication does not encrypt data stored in tables or sent over network connections. This is by design, because encryption is available at the transport level with a number of technologies, including the following industry standard technologies: Virtual Private Networks (VPN), Secure Sockets Layer (SSL), and IP Security (IPSEC). We recommend using one of these encryption methods for the connections between computers in a replication topology. For more information, see [Enable Encrypted Connections to the Database Engine &#40;SQL Server Configuration Manager&#41;](../../../database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine.md). For information about using VPN and SSL for replicating data over the Internet, see [Securing Replication Over the Internet](../../../relational-databases/replication/security/securing-replication-over-the-internet.md).  
  
 If you use SSL to secure the connections between computers in a replication topology, specify a value of **1** or **2** for the **-EncryptionLevel** parameter of each replication agent (a value of **2** is recommended). A value of **1** specifies that encryption is used, but the agent does not verify that the SSL server certificate is signed by a trusted issuer; a value of **2** specifies that the certificate is verified. Agent parameters can be specified in agent profiles and on the command line. For more information, see:  
  
-   [Work with Replication Agent Profiles](../../../relational-databases/replication/agents/work-with-replication-agent-profiles.md)  
  
-   [View and Modify Replication Agent Command Prompt Parameters &#40;SQL Server Management Studio&#41;](../../../relational-databases/replication/agents/view-and-modify-replication-agent-command-prompt-parameters.md)  
  
-   [Replication Agent Executables Concepts](../../../relational-databases/replication/concepts/replication-agent-executables-concepts.md)  
  
 Replication has the following behavior with respect to database Master Keys, which are used to encrypt data:  
  
-   If a Master Key is present in a database involved in replication (a publication database, subscription database, or distribution database), replication encrypts and decrypts agent passwords in that database using a [!INCLUDE[ssSQL11](../../../includes/sssql11-md.md)] database symmetric key. If Master Keys are used, a Master Key should be created in each database involved in replication. For more information about creating Master Keys, see [CREATE MASTER KEY &#40;Transact-SQL&#41;](../../../t-sql/statements/create-master-key-transact-sql.md).  
  
-   Replication does not replicate Master Keys. If you require the Master Key at the Subscriber, you must export it from the publication database using BACKUP MASTER KEY and then import it into the subscription database using RESTORE MASTER KEY. For more information, see [BACKUP MASTER KEY &#40;Transact-SQL&#41;](../../../t-sql/statements/backup-master-key-transact-sql.md) and [RESTORE MASTER KEY &#40;Transact-SQL&#41;](../../../t-sql/statements/restore-master-key-transact-sql.md).  
  
-   If a Master Key is defined for an attachable subscription database, specify the Master Key password using the `@db_master_key_password` parameter of [sp_attachsubscription &#40;Transact-SQL&#41;](../../../relational-databases/system-stored-procedures/sp-attachsubscription-transact-sql.md). This allows the database to be attached at the Subscriber.  
  
 For more information about encryption and Master Keys, see [Encryption Hierarchy](../../../relational-databases/security/encryption/encryption-hierarchy.md).  
  
 Replication enables you to publish encrypted column data. To decrypt and use this data at the Subscriber, the key that was used to encrypt the data at the Publisher must also be present on the Subscriber. Replication does not provide a secure mechanism to transport encryption keys. You must manually re-create the encryption key at the Subscriber. For more information, see [Replicate Data in Encrypted Columns &#40;SQL Server Management Studio&#41;](../../../relational-databases/replication/security/replicate-data-in-encrypted-columns-sql-server-management-studio.md).  
  
## See Also  
 [Identity and Access Control for Replication](../../../relational-databases/replication/security/identity-and-access-control-replication.md)   
 [View and modify replication security settings](../../../relational-databases/replication/security/view-and-modify-replication-security-settings.md)