I created an application which reads/writes to SQL Server using DECRYPTBYPASSPHRASE and ENCRYPTBYPASSPHRASE. I compile and secure the application containing the encryption phrase using several anti-tampering measures (e.g. obfuscation, etc.) so that, in principle, it can't be decompiled by users.
If an application user gains access to the database using SSMS (which is fairly easy) and sees the encrypted data, is there any way for that user to decypher the encryption passphrase using some kind of triangulation methodology by looking at the decrypted data which is displayed in the application user-interface?
Could the user retrieve the encryption key by intercepting and analyzing a TSQL command execution between the application and SQL Server?
Are there any other means of decrypting the data in the database?