The farm passphrase is a new security feature in SharePoint Foundation
2010. Similar to a password, it is created as part of the initial
creation of a SharePoint farm (or as a part of upgrade). The passphrase
is created during PSConfig portion of SharePoint installation. It is
then only required for adding additional servers to the farm.
In addition to a somewhat added layer of security, the farm passphrases
main function is that it is used to encrypt the credentials for the farm
administrator and other “managed accounts.” Using the new managed
accounts feature is optional and the details surround its use will be
covered in detail in another module. Just Keep in mind that managed
accounts are similar to traditional service accounts except they are
managed by SharePoint. Because the credentials for these managed
accounts can be encrypted by SharePoint, SharePoint also now has the
capability to access account credentials and use them. For example when
creating a new Web application, an administrator can select and
associate a managed account to the Web application without having to
know the password for that managed account. Using the encryption key
created using the farm passphrase, SharePoint will be able to decrypt
the credentials for any managed account. Administrators will thus
potentially not have to know the passwords for any accounts managed by
SharePoint, which can be a big plus in a least privileged security
environment.
