The database master key (DMK) encryption password for Azure SQL Server Managed Instance must meet DOD password complexity requirements.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276287	SRG-APP-000231-DB-000154	MSQL-D0-001600	SV-276287r1149770_rule	2025-10-07	1

Description
Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk.

ℹ️ Check
Use the query below to check each database to determine whether a DMK exists and is encrypted with a password: EXEC sp_MSforeachdb 'USE [?]; SELECT DB_NAME() AS DatabaseName,COUNT(name) AS DatabaseMasterKeyExists FROM sys.symmetric_keys s, sys.key_encryptions k WHERE s.name = ''##MS_DatabaseMasterKey##'' AND s.symmetric_key_id = k.key_id AND k.crypt_type in (''ESKP'', ''ESP2'', ''ESP3'')' If the value returned is zero, this is not applicable. If the value returned is greater than zero, a DMK exists and is encrypted with a password. Review procedures and evidence of password requirements used to encrypt DMK. If the passwords are not required to meet DOD password standards, currently a minimum of 15 characters with at least one uppercase character, one lowercase character, one special character, and one numeric character, and at least eight characters changed from the previous password, this is a finding.

ℹ️ Check

Use the query below to check each database to determine whether a DMK exists and is encrypted with a password: EXEC sp_MSforeachdb 'USE [?]; SELECT DB_NAME() AS DatabaseName,COUNT(name) AS DatabaseMasterKeyExists FROM sys.symmetric_keys s, sys.key_encryptions k WHERE s.name = ''##MS_DatabaseMasterKey##'' AND s.symmetric_key_id = k.key_id AND k.crypt_type in (''ESKP'', ''ESP2'', ''ESP3'')' If the value returned is zero, this is not applicable. If the value returned is greater than zero, a DMK exists and is encrypted with a password. Review procedures and evidence of password requirements used to encrypt DMK. If the passwords are not required to meet DOD password standards, currently a minimum of 15 characters with at least one uppercase character, one lowercase character, one special character, and one numeric character, and at least eight characters changed from the previous password, this is a finding.

✔️ Fix
Assign an encryption password to the DMK that is a minimum of 15 characters with at least one uppercase character, one lowercase character, one special character, and one numeric character, and at least eight characters changed from the previous password. To change the DMK encryption password: USE [database name]; ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'new password'; Note: The DMK encryption method must not be changed until the effects are thoroughly reviewed. Changing the master key encryption causes all encryption using the DMK to be decrypted and re-encrypted. This action must not be taken during a high-demand time. Refer to the Azure SQL Managed Instance documentation found here: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/create-a-database-master-key?view=azuresqldb-mi-current prior to re-encrypting the DMK for detailed information.

✔️ Fix

Assign an encryption password to the DMK that is a minimum of 15 characters with at least one uppercase character, one lowercase character, one special character, and one numeric character, and at least eight characters changed from the previous password. To change the DMK encryption password: USE [database name]; ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'new password'; Note: The DMK encryption method must not be changed until the effects are thoroughly reviewed. Changing the master key encryption causes all encryption using the DMK to be decrypted and re-encrypted. This action must not be taken during a high-demand time. Refer to the Azure SQL Managed Instance documentation found here: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/create-a-database-master-key?view=azuresqldb-mi-current prior to re-encrypting the DMK for detailed information.