Set Up an Encrypted Mirror Database
Applies to: 
SQL Server
To enable automatic decryption of the database master key of a mirror database, you must provide the password used to encrypt the master key to the mirror server instance. SQL Server 2005 (9.x) and later versions include mechanisms to transfer the password. Use sp_control_dbmasterkey_password to create a credential for the database master key before you start database mirroring. You must repeat this process for every database that will be mirrored. For more information, see sp_control_dbmasterkey_password (Transact-SQL).
Caution
Do not enable failover decryption of a database that must remain inaccessible to sa and other highly privileged server principals. You can configure a database so that its key hierarchy cannot be decrypted by the service master key. This option is supported as a defense-in-depth for databases that contain information that should not be accessible to sa or other highly privileged server principals. Enabling failover decryption of such a database removes this defense-in-depth, enabling sa and other highly privileged server principals to decrypt the database.
See Also
sp_control_dbmasterkey_password (Transact-SQL)
CREATE MASTER KEY (Transact-SQL)
ALTER MASTER KEY (Transact-SQL)
Encryption Hierarchy
Setting Up Database Mirroring (SQL Server)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for