• I'm a complete novice on encryption and confused by the statement:

    Also, there was a lot of discussion regarding the password that protects the key and concern over "backing up" the password. Consider taking advantage of the full key hierarchy and take a look at the service master key as a means to protect your database master keys instead of a password.

    I assume you could ALTER the master key to DROP the "password" encryption and retain only the SMK encryption of the master key. And then you could CREATE a CERTIFICATE based on the master key... But don't you still have to specify a password when you do the backup for the master key and private key of the certificate?

    I guess what I'm saying is, I don't see that you've gotten away from the issue of storing passwords for the back up of the encrypted keys.