STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to MS SQL Server 2016 Instance Security Technical Implementation Guide

V-213974

CAT II (Medium)

The Master Key must be backed up and stored in a secure location that is not on the SQL Server.

Rule ID

SV-213974r961128_rule

STIG

MS SQL Server 2016 Instance Security Technical Implementation Guide

Version

V3R6

CCIs

CCI-001199

Discussion

Backup and recovery of the Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.

Check Content

If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding. 
 
Review procedures for and evidence of backup of the Master Key in the System Security Plan.  
 
If the procedures or evidence does not exist, this is a finding.  
 
If the procedures do not indicate that a backup of the Master Key is stored in a secure location that is not on the SQL Server, this is a finding.

If procedures do not indicate access restrictions to the Master Key backup, this is a finding.

Fix Text

Document and implement procedures to safely back up and store the Master Key in a secure location that is not on the SQL Server. Include in the procedures methods to establish evidence of backup and storage, and careful, restricted access and restoration of the Master Key.

BACKUP MASTER KEY TO FILE = 'path_to_file'  
ENCRYPTION BY PASSWORD = 'password';  
 
As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.