This document provides information about configuring our HSMs with Microsoft SQL Server Always Encrypted by using CNG libraries. For additional questions about your HSM, see the relevant administrator guide.

The Microsoft SQL Server Always Encrypted feature ensures sensitive data remains encrypted both in transit and at rest, with encryption and decryption occurring on the client side. It uses a Column Master Key (CMK) to protect the Column Encryption Key (CEK), which encrypts the data in database columns. This approach keeps data encrypted even in memory, protecting it from high-privilege database users. Always Encrypted supports deterministic and randomized encryption, enabling secure operations while restricting certain SQL functionalities. It's ideal for protecting PII, financial data, and other confidential information, enhancing security and compliance.

Through the CNG library, Microsoft SQL Server can use a HSM for key management and encryption acceleration. The HSM generates and stores the Microsoft SQL Always Encrypted Column Master Key (CMK), protecting it from disclosure.