Hi there

To honest, it was a very quick overview, and when i did I found the architecture somewhat confusing. Either way, I was convinced the key was part of the "profile" of the account, when I say profile, its more part of the actual login and its associated stored provilieges within AD. Also, I believe the MS doco stated that if you encrypted the database whilst logged in as, say a custom account "SQLServerUser", and alter the service account to run under another user, granting higher admin privs to the other account would still not work and the files remained encrpypted. I will endevour to trail some of these and see what we can come up with.

Perhaps you can write up paper on this with more drill down from your experiences??? this sort of thing would be of interest to many DBA's.

Cheers

Ck