Threat and Vulnerability Mitigation (Replication)

This topic describes techniques to reduce threats to a replication topology.


Encryption is the process of converting data into a form that cannot be read without a special key, so that only the intended recipient can read the data. Replication does not encrypt data stored in tables or sent over network connections. This is by design, because encryption is available at the transport level with a number of technologies, including the following industry standard technologies: Virtual Private Networks (VPN), Secure Sockets Layer (SSL), and IP Security (IPSEC). We recommend using one of these encryption methods for the connections between computers in a replication topology. For more information, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager). For information about using VPN and SSL for replicating data over the Internet, see Securing Replication Over the Internet.

If you use SSL to secure the connections between computers in a replication topology, specify a value of 1 or 2 for the -EncryptionLevel parameter of each replication agent (a value of 2 is recommended). A value of 1 specifies that encryption is used, but the agent does not verify that the SSL server certificate is signed by a trusted issuer; a value of 2 specifies that the certificate is verified. Agent parameters can be specified in agent profiles and on the command line. For more information, see:

See Also

Identity and Access Control (Replication)
Security Overview (Replication)
Secure Development (Replication)
Secure Deployment (Replication)