Should you encrypt the system databases?

Posted on

Question :

A finding from a STIG evaluation, CCE-19832-5 reports that the [master] database should be encrypted with a Database Master Key using an encrypted password that meets DoD standards.

This a result of an AppDetective scan; it states:

Resource key ‘database_containing_encrypted_key’ not found.=[master].

I am not deliberately storing anything in the master database.

I’ve encrypted all user databases but my question is: do you encrypt the system databases, specifically master? I am using TDE with SQL Server 2012.

Answer :

The answer is “NO”.

When you attempt encrypt a system database, SQL Server complains:

Cannot encrypt a system database. Database encryption operations
cannot be performed for ‘master’, ‘model’, ‘tempdb’, ‘msdb’ or
‘resource’ databases.

However, it’s important to realize that any successful encryption of a non-system database will cause TempDB to be encrypted automatically, to protect temporary objects. In fact, even if TDE is later removed from the user database, TempDB will remain encrypted.

The documentation of the master database options shows you cannot encrypt it.

Leave a Reply

Your email address will not be published. Required fields are marked *