EncryptByKey versus EncryptByPassPhrase?

What are your thoughts about SQL Server's symmetric key functions? Specifically, I have two 开发者_开发知识库questions:

1. Which set of functions is better... EncryptByKey or EncryptByPassPhrase?

2. Both functions require a passphrase of some kind. In a typical web-application architecture, where should this passphrase be stored? (i.e., hard coded within a stored procedure in the database, or stored as a configuration setting in the web application)

I'm eager to see what the best practice is for these functions.

1. Encrypting using a passphrase is easier but the advantage of using a key is that the key can be secured using built in SQL sever roles. You can lock down use of the key to only those users that require access to that data.

2. If you use a certificate then you only need plain text during the initial setup and can store it outside your system. Again, the certificate is a securable object and can be locked down.

Hope this helps.