Procedural guide to enable Transparent Data Encryption (TDE) on SQL Server using EKM and HSM-stored keys.
This section shows how to enable transparent data encryption (TDE) in SQL Server to protect a database encryption key by using an asymmetric key stored on the Futurex EKM/HSM module.
You must run all the following commands inside a Query window in SQL Server Management Studio.
1
To create a credential for system administrators to use, run the following command:
The values set in the IDENTITY and SECRET fields should be the name and password of the identity created on the Vectera Plus specified in the FXEKM configuration file (fxekm.cfg).
Sql
CREATE CREDENTIAL EkmCredential WITH IDENTITY = 'crypto1', SECRET = 'safest' FOR CRYPTOGRAPHIC PROVIDER FuturexEkmProvider;GO
2
Add the credential to a high-privileged user, such as your domain login, in the format [DOMAIN\login].
Sql
ALTER LOGIN [WIN-Q4E6RG9BSOL\Administrator] ADD CREDENTIAL EkmCredential;GO
3
Create an asymmetric key stored inside the Futurex EKM provider.
Sql
USE master; GOCREATE ASYMMETRIC KEY EkmAsym FROM PROVIDER FuturexEkmProvider WITH ALGORITHM = RSA_2048, PROVIDER_KEY_NAME = 'EkmAsym';GO
4
Create a credential for the database engine to use.
The values set in the IDENTITY and SECRET fields should be the name and password of the identity created on the Vectera Plus specified in the FXEKM configuration file (fxekm.cfg).
Sql
CREATE CREDENTIAL EkmEngineCredential WITH IDENTITY = 'crypto1', SECRET = 'safest' FOR CRYPTOGRAPHIC PROVIDER FuturexEkmProvider;GO
5
Create a login to use the asymmetric key stored inside the EKM provider.
Sql
CREATE LOGIN EkmLogin FROM ASYMMETRIC KEY EkmAsym;GO
6
Enable the login to use the database engine credentials.
Sql
ALTER LOGIN EkmLogin ADD CREDENTIAL EkmEngineCredential;GO
7
Create a new example database, add a new table, and insert information into the table.
You cannot execute database encryption operations on master, model, tempdb, msdb, or resource databases.
Sql
CREATE DATABASE exampleDB;GOUSE exampleDB;GOCREATE TABLE users ( id INT NOT NULL PRIMARY KEY, name VARCHAR(64), password VARCHAR(128), ssn VARCHAR(32));GOINSERT INTO users (id, name, password, ssn) VALUES (1, 'SomeGuy', 'blah', '000-00-0000'), (2, 'SomeGal', 'password', '000-00-0000'), (3, 'TestUser', 'test123', '000-00-0000');GO
8
Create a database encryption key for the exampleDB database.
Sql
USE exampleDB;GOCREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER ASYMMETRIC KEY EkmAsym;GO
9
Enable transparent data encryption on the exampleDB database.
Sql
ALTER DATABASE exampleDB SET ENCRYPTION ON;GO
10
To verify that you can decrypt data, restart the SQL Server service with the HSM offline and run the following command:
Sql
USE exampleDB;SELECT * FROM users;
If the following command fails, then TDE is set up correctly.If the HSM is online, the command should succeed.
Was this page helpful?
⌘I
Assistant
Responses are generated using AI and may contain mistakes.
