Create an application partition for Microsoft SQL Server Always Encrypted

To segregate applications on the HSM, you must create an application partition specifically for your use case. Application partitions segment the permissions and keys between applications on an HSM. Choose one of the following methods to create an application partition:

Excrypt Manager

Perform the following steps on Excrypt Manager to create an application partition:

Go to the Application Partitions menu and select [ Add ].

In the Basic Information tab, configure all of the fields as follows:

Option	Required configuration
Role Name	Specify any name that you would like for this new application partition.
Logins Required	Set to 1 If the HSM is in FIPS mode, you must set Logins Required to 2.
Ports	Set to Prod.
Connection Sources	Set to Ethernet.
Managed Roles	Leave blank because you specify the exact Permissions, Key Slots, and Commands for this application partition or role to have access to.
Use Dual Factor	Set to Never.
Upgrade Permissions	Leave unchecked.

In the Permissions tab, select the following key permissions:

Permission	Description
Keys	Top-level permission
Authorized	Allows for keys that require login
Import PKI	Allows trusting an external PKI. Generally not recommended, but some applications use this to enable PKI symmetric key wrapping.
No Usage Wrap	Allows for interoperable key wrapping without defining key usage as part of the wrapped key. Use this only if you want to exchange keys with external entities or use the HSM to wrap externally used keys.

In the Key Slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition. Within the specified range, you should have ranges for both symmetric and asymmetric keys. If the application requires more keys, configure it accordingly.

To use the HSMs’ functionality, you must enable particular functions on the application partition based on application requirements. Microsoft SQL Always Encrypted requires the following commands for operation. Enable the following commands in the Commands tab:PKCS #11 Communication Commands:

Command	Description
ECHO	Communication Test/Retrieve Version
HASH	Retrieve device serial
GPKM	Retrieve key table information
GPKS	General-purpose key settings get/change
GPKR	General-purpose key settings get (read-only)
TIME	Get/Set the HSM Internal Clock

Key Operations Commands:

Command	Description
GRSA	Generate RSA Private and Public Key
RPFP	Get public components from RSA private key
APFP	Get public components from ECC private key

Data Encryption Commands:

Command	Description
GPSR	General-purpose RSA encrypt/decrypt or sign/verify with recovery

Signing Commands:

Command	Description
RSAS	Generate a signature using a RSA private key
ASYS	Generate a signature using PKI private key

FXCLI

Run the following role FXCLI commands to create the new application partition and enable all required functions:

FXCLI

  role add --name Role_Name --application --key-range (0,999) --perm "Keys:Authorized" --perm "Keys:Import PKI" --perm "Keys:No Usage Wrap"

FXCLI

  role modify --name [role_name] --add-perm Excrypt:ECHO --add-perm Excrypt:HASH --add-perm Excrypt:GPKM --add-perm Excrypt:GPKS --add-perm Excrypt:GPKR --add-perm Excrypt:TIME --add-perm Excrypt:GRSA --add-perm Excrypt:RPFP --add-perm Excrypt:APFP --add-perm Excrypt:GPSR --add-perm Excrypt:RSAS --add-perm Excrypt:ASYS

⌘I

​Excrypt Manager

​FXCLI

Excrypt Manager

FXCLI