Database
Microsoft SQL Server TDE

Enabling TDE on SQL Server by using EKM

1min

This section shows how to enable transparent data encryption (TDE) in SQL Server to protect a database encryption key by using an asymmetric key stored on the EKM/HSM module.

You must run all the following commands inside a Query window in SQL Server Management Studio.

1

To create a credential for system administrators to use, run the following command:

The values set in the IDENTITY and SECRET fields should be the name and password of the identity created on the specified in the FXEKM configuration file (fxekm.cfg).

SQL

2

Add the credential to a high-privileged user, such as your domain login, in the format [DOMAIN\login].

SQL

3

Create an asymmetric key stored inside the EKM provider.

SQL

4

Create a credential for the database engine to use.

The values set in the IDENTITY and SECRET fields should be the name and password of the identity created on the specified in the FXEKM configuration file (fxekm.cfg).

SQL

5

Create a login to use the asymmetric key stored inside the EKM provider.

SQL

6

Enable the login to use the database engine credential.

SQL

7

Create a new example database, add a new table, and insert information into the table.

You cannot execute database encryption operations on master, model, tempdb, msdb, or resource databases.

SQL

8

Create a database encryption key for the exampleDB database.

SQL

9

Enable transparent data encryption on the exampleDB database.

SQL

10

To verify that you can decrypt data, restart SQL Server service with the HSM offline and run the following command:

SQL


If the following command fails, then TDE is set up correctly.

If the HSM is online, the command should succeed.





Updated 26 Aug 2024
Did this page help you?
PREVIOUS
Configuring EKM on the SQL Server
NEXT
Oracle Database TDE (12c)
Docs powered by Archbee