Enabling TDE on SQL Server using EKM
This section shows how to enable transparent data encryption (TDE) in SQL Server to protect a database encryption key by using an asymmetric key stored on the Futurex EKM/HSM module.
All of the following commands need to be run inside a Query window in SQL Server Management Studio
Create a credential that will be used by system administrators.
The values set in the IDENTITY and SECRET fields should be the name and password of the identity created on the Vectera Plus that is specified in the FXEKM configuration file (i.e., fxekm.cfg).
Add the credential to a high privileged user such as your own domain login in the format [DOMAIN\login].
Create an asymmetric key stored inside the Futurex EKM provider.
Create a credential that will be used by the Database Engine.
The values set in the IDENTITY and SECRET fields should be the name and password of the identity created on the Vectera Plus that is specified in the FXEKM configuration file (i.e., fxekm.cfg).
Create a login that will use the asymmetric key stored inside the Futurex EKM provider.
Set the login to be able to use the database engine credential.
Create a new example database, add a table to it, then insert information into the table.
Database encryption operations cannot be executed on master, model, tempdb, msdb, or resource databases.
Create a database encryption key for the 'exampleDB' database.
Enable transparent data encryption on the 'exampleDB' database.
Check if data can be decrypted.
Restart SQL Server service with the HSM offline, then check if the following command fails. If it does, then TDE is set up correctly. If the HSM is online, the command should succeed.