![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 45%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
14,494 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 46%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
If you ask me, none of them are very safe. Yes, one encryption is stronger than the other, but that does that matter if you leave the key under the doormat? Which is what you do if you protect the keys with the database master key.
Then again, there are decryption functions that works with password. That's a little better, as they can be sent from the client. Not that this is very safe, because they can still be retrieved, even if it requires some work.
Did you consider Always Encrypted, or are you on SQL 2014 or earlier where this feature is not available? AE is better, since decryption occurs outside SQL Server, and the encryption key does not have to be available on the SQL machine at all.