There is a scene in the 1955 Looney Tunes short called "Sahara Hare" in which Yosemite Sam is attempting to enter a castle in the desert. After various failed methods of forced entry he encounters a secret entrance in the wall of the castle. When Sam opens the door there is another one immediately behind it. When that door is opened it reveals yet another one and so the scenario repeats until he encounters some strategically placed TNT. This segment of the cartoon reminds me of the encryption key hierarchy minus the destructive ending.
The series of keys that makes up the encryption key hierarchy protect each other until the key that used for the encrypting/decrypting process is revealed. The outer door being the Service Master Key (SMK) which protects an inner door, the Database Master Key (DMK) , which protects additional doors which are symmetric and asymmetric keys. With SQL Server 2008 and the introduction of Transparent Data Encryption (TDE) a new key was introduced into the mix: The Database Encryption Key (DEK).
On the surface it may be a little confusing when determining the difference between a Database Master Key (DMK) and a Database Encryption Key (DEK). The similarity between their names certainly add to the confusion. They both are addressing the encryption process and the use of the word "encryption" in its name does not provide any implication to its unique purpose. Under the hood, the differences become much easier to understand:
Database Master Key
This symmetric key is used to protect subsequent symmetric keys or asymmetric keys within the database that are utilized in the actual encryption/decryption process of the data. The algorithm used when a DMK is created is Triple DES. The key that protects the DMK is the Service Master Key or a user-supplied password. When the SMK is used to protect the DMK, the opening of the DMK occurs automatically; otherwise the DMK must be opened using the OPEN MASTER KEY statement.
The CREATE MASTER KEY command is used to create a DMK. The sys.symmetric_keys view will display the DMK for the database.
Database Encryption Key
This symmetric key is used only for TDE. The purpose of this key is to perform the encryption/decryption process on the physical files and filegroups of the database. The algorithm used when a DEK is created is determined based upon the WITH ALGORITHM argument and include various AES algorithms as well as Triple DES. The key that protects the DEK is a Certificate (Asymmetric Key) that resides in the MASTER database which is protected by the DMK for the MASTER database.
Since the DEK is used with the TDE process, the opening of this key is transparent to the end user.
The CREATE DATABASE ENCRYPTION KEY command is used to create a DEK. The sys.dm_database_encryption_keys view will display the DEK for the database.