Skip to main content
This document provides information about configuring our HSMs with Microsoft SQL Server Always Encrypted by using Futurex CNG libraries. For additional questions about your HSM, see the relevant administrator guide.

About Microsoft SQL Server Always Encrypted

The Microsoft SQL Server Always Encrypted feature ensures sensitive data remains encrypted both in transit and at rest, with encryption and decryption occurring on the client side. It uses a Column Master Key (CMK) to protect the Column Encryption Key (CEK), which encrypts the data in database columns. This approach keeps data encrypted even in memory, protecting it from high-privilege database users. Always Encrypted supports deterministic and randomized encryption, enabling secure operations while restricting certain SQL functionalities. It’s ideal for protecting PII, financial data, and other confidential information, enhancing security and compliance.

Purpose of the integration

Through the Futurex CNG library, Microsoft SQL Server can use a Vectera Plus HSM for key management and encryption acceleration. The HSM generates and stores the Microsoft SQL Always Encrypted Column Master Key (CMK), protecting it from disclosure.

Guardian integration

The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:
  • Centralization of device management
  • Elimination of points of failure
  • Distribution of transaction loads
  • Group-specific function blocking
  • User-defined grouping systems
See the applicable guide in the Futurex Portal for configuring HSMs with the Guardian Series 3, including PKCS #11 and CNG configuration.