Skip to main content
This document provides information on configuring Futurex HSMs with Microsoft SQL Server Transparent Data Encryption (TDE) by using Extensible Key Management (EKM) libraries. For additional questions related to your HSM, see the relevant administrator guide.

About Microsoft SQL Server

Microsoft SQL Server is a relational database management system (RDBMS) used for large-scale online transaction processing (OLTP), data warehousing, and e-commerce applications. It is also a business intelligence platform for data integration, analysis, and reporting solutions.

About Transparent Data Encryption (TDE)

From the Microsoft documentation website: Transparent Data Encryption (TDE) encrypts SQL Server data files. This encryption is known as encrypting data at rest. To help secure a database, you can take precautions like:
  • Designing a secure system.
  • Encrypting confidential assets.
  • Building a firewall around the database servers.
However, a malicious party who steals physical media, such as drives or backup tapes, can restore or attach the database and browse its data. One solution is to encrypt sensitive data in a database and use a certificate to protect the keys that encrypt the data. This solution prevents anyone without the keys from using the data. But you must plan this kind of protection in advance. TDE does real-time I/O encryption and decryption of data and log files. The encryption uses a database encryption key (DEK). The database boot record stores the key for availability during recovery. The DEK is a symmetric key. It’s secured by a certificate that the server’s master database stores or by an asymmetric key that an EKM module protects. TDE protects data at rest, which includes the data and log files. It enables you to follow numerous laws, regulations, and guidelines established across various industries. This ability enables software developers to encrypt data by using AES and 3DES encryption algorithms without modifying existing applications.

Encryption hierarchy and integration with the Vectera Plus

Through EKM, Microsoft SQL Server can use our Vectera Plus HSM for key management and encryption acceleration. In this configuration, you can encrypt data by using encryption keys that only the database user can access on the external EKM HSM module.
Only the database-level items (such as the database encryption key) are user-configurable when you use TDE on SQL Database.

Guardian integration

The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:
  • Centralization of device management
  • Elimination of points of failure
  • Distribution of transaction loads
  • Group-specific function blocking
  • User-defined grouping systems
See the applicable guide in the Futurex Portal for configuring HSMs with the Guardian Series 3, including PKCS #11 and CNG configuration.