Enable TDE in Microsoft SQL Server by using EKM
This section shows how to use an asymmetric key stored on the KMES Series 3 to enable transparent data encryption (TDE) in Microsoft SQL Server for database protection.
You must run all of the following commands in a Query window in SQL Server Management Studio.
Run the following commands to create a credential for system administrators to use:
Change the values set in the IDENTITY and SECRET fields to match the name and password of the KMES user you specified in the FXCL EKM configuration file.
Run the following commands to add the credential to a high-privileged user, such as your own domain login in the [DOMAIN\login] format:
Run the following commands to create an asymmetric key stored inside the FXCL EKM provider:
Run the following commands to create a credential for the database engine to use:
Change the values set in the IDENTITY and SECRET fields to match the name and password of the KMES user you specified in the FXCL EKM configuration file.
Run the following commands to create a login that uses the asymmetric key stored inside the FXCL EKM provider:
Run the following commands to enable the login to use the database engine credential:
Run the following commands to create a new example database, add a table to it, and insert information into the table:
You cannot execute database encryption operations on master, model, tempdb, msdb, or resource databases.
Run the following commands to create a database encryption key for the exampleDB database:
Run the following commands to enable transparent data encryption on the exampledb database:
To check if data can be decrypted, restart SQL Server service with the KMES Series 3 offline, then run the following command. If it fails, TDE is configured correctly. If the KMES is online, the command should succeed.
You can view the asymmetric key that is created on the KMES and used for encrypting the Database Encryption Key (DEK) on the Key Management > Keys menu in the KMES application interface.