Documentation - V-276287

Title

The database master key (DMK) encryption password for Azure SQL Server Managed Instance must meet DOD password complexity requirements.

Description

<VulnDiscussion>Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></Miti...

Fix Text (Documentation Requirement)

Assign an encryption password to the DMK that is a minimum of 15 characters with at least one uppercase character, one lowercase character, one special character, and one numeric character, and at least eight characters changed from the previous password. To change the DMK encryption password: USE [database name]; ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'new password'; Note: The DMK encryption method must not be changed until the effects are thoroughly reviewed. Changing the master key encryption causes all encryption using the DMK to be decrypted and re-encrypted. This action must not be taken during a high-demand time. Refer to the Azure SQL Managed Instance documentation found here: https://learn.microsoft.com/en-us/sql/relational-databases/security/encrypt...