This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 5%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWG%3C/text%3E%3C/svg%3E)
Sql server encryption has got the service master key at the top of the hierarchy.
The database master key is encrypted with the service master key.
The database master key is stored in the respective database and also in the master db?
Where is the service master key (SMK) stored?
Hi @Waseem Gondal ,
We have not received a response from you. Did a reply could help you? If a response helped, do "Accept Answer". If it is not, please let us know. Your contribution is highly appreciated.
Hi @Waseem Gondal ,
Any update for this thread? Did a reply could help you?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
You need to backup your keys.
We recommend that you back up the master key as soon as it is created, and store the backup in a secure, off-site location.
Hi @Waseem Gondal ,
>The database master key is stored in the respective database and also in the master db?
Yes, you are right.
Quote from MS document;
>The database master key is stored in both the database where it is used and in the master system database.
In addition, you should back up the database master key and store the backup in a secure off-site location. Refer to MS document Back up a database master key.
>Where is the service master key (SMK) stored?
I did not find this information from MS document.
The Service Master Key is the root of the SQL Server encryption hierarchy. The SMK is automatically generated the first time the SQL Server instance is started. The SMK is encrypted by using the local machine key using the Windows Data Protection API (DPAPI). The DPAPI uses a key that is derived from the Windows credentials of the SQL Server service account and the computer's credentials. The service master key can only be decrypted by the service account under which it was created or by a principal that has access to the machine's credentials.
In addition, the service master key is the root of the encryption hierarchy. It should be backed up and stored in a secure, off-site location. Refer to MS document Back Up the Service Master Key.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
It occurred to me that this blog post from Simon McAucliffe has information where the keys are stored. (Although the main purpose of the post is to show that the security you get from TDE is limited.)
Thanks for sharing the information.
Could you share us the link of the blog that you mentioned. Thanks a lot.