Enabling TDE on SQL Server by using EKM
This section shows how to enable transparent data encryption (TDE) in SQL Server to protect a database encryption key by using an asymmetric key stored on the EKM/HSM module.
You must run all the following commands inside a Query window in SQL Server Management Studio.
To create a credential for system administrators to use, run the following command:
The values set in the IDENTITY and SECRET fields should be the name and password of the identity created on the specified in the FXEKM configuration file (fxekm.cfg).
Add the credential to a high-privileged user, such as your domain login, in the format [DOMAIN\login].
Create an asymmetric key stored inside the EKM provider.
Create a credential for the database engine to use.
The values set in the IDENTITY and SECRET fields should be the name and password of the identity created on the specified in the FXEKM configuration file (fxekm.cfg).
Create a login to use the asymmetric key stored inside the EKM provider.
Enable the login to use the database engine credential.
Create a new example database, add a new table, and insert information into the table.
You cannot execute database encryption operations on master, model, tempdb, msdb, or resource databases.
Create a database encryption key for the exampleDB database.
Enable transparent data encryption on the exampleDB database.
To verify that you can decrypt data, restart SQL Server service with the HSM offline and run the following command:
If the following command fails, then TDE is set up correctly.
If the HSM is online, the command should succeed.