• Thanks for the reply, e4d4:

    Some further questions, if I may; if I understand correctly, to allow SQL server's Key management to work, the user would need CONTROL permission on the cert, and REFERENCE permission on the symmetric key. Am I correct in that?

    What dangers are inherent in granting CONTROL permission to a database role? Is the potential loss of security in this area worth the gain from encrypting data? And is granting CONTROL permission to a database role any more/less secure than placing the password inside each sproc?

    You are spot on when you say there really aren't any best practices. It has taken me two solid days of research to get just this far. Your input is appreciated.

    Kurt.