STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft SQL Server 2022 Database Security Technical Implementation Guide

V-271169

CAT II (Medium)

The Database Master Key encryption password must meet DOD password complexity requirements.

Rule ID

SV-271169r1109188_rule

STIG

Microsoft SQL Server 2022 Database Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-001199

Discussion

Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, the confidentiality of all data encrypted using that key is at risk. Current DOD passwords require the following: - minimum of 15 characters; - at least one uppercase character; - one lowercase character; - one special character; - one numeric character, and - at least eight characters changed from the previous password.

Check Content

From the query prompt: 

SELECT name 
FROM [master].sys.databases 
WHERE state = 0 

Repeat for each database: 
From the query prompt: 

USE [database name] 
SELECT COUNT(name) 
FROM sys.symmetric_keys s, sys.key_encryptions k 
WHERE s.name = '##MS_DatabaseMasterKey##' 
AND s.symmetric_key_id = k.key_id 
AND k.crypt_type in ('ESKP', 'ESP2', 'ESP3')

If the value returned is zero, this is not applicable.

If the value returned is greater than zero, a Database Master Key exists and is encrypted with a password. 

Review procedures and evidence of password requirements used to encrypt Database Master Keys. 

If the passwords do not meet DOD password standards, this is a finding.

Fix Text

Assign an encryption password to the Database Master Key that is a minimum of 15 characters with at least one uppercase character, one lowercase character, one special character, one numeric character, and at least eight characters changed from the previous password. To change the Database Master Key encryption password: 

USE [database name];
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'new password'; 

Note: Do not change the Database Master Key encryption method until the effects are thoroughly reviewed. Changing the master key encryption causes all encryption using the Database Master Key to be decrypted and reencrypted. This action should not be taken during a high-demand time. 

Refer to the SQL Server documentation found here prior to reencrypting the Database Master Key: 
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/create-a-database-master-key?