Knowing the security objects hierarchy, we can see that in order to create a Symmetric Key
and encrypt data, we need to create:
Database Master Key
which is protected by passwordCertificate
which is protected by theDatabase Master key
-
The
Symmetric Key
itself, which is protect by theCertificate
In Always Encrypted
, we can use EKM
module to simplify this hierarchy. For example, we can store the certificates in the Windows Certification Store
and these certificates are protecting our encryption master keys.
I am wondering, if I want to use not Always Encrypted
built-in encryption functionalities, can I use EKM
module to create and manage my symmetric keys (like it is shown on the diagram). In the CREATE SYMMETRIC KEY documentation we have provider
option, but not enough information about possible providers and examples.
I am interesting in storing the Certificate
which is protecting the Symmetric keys or the Symmetric keys in external storage, because in such way the data is separated from the keys and in the database we are storing only references to the keys (like in always encrypted). Windows Certification Store will be best option for me, but Azure Key Vault or something else will work as well, I guess.
Best Answer
tl;dr - use
CREATE CRYPTOGRAPHIC PROVIDER
to create a connection inside SQL Server to your EKM/HSM hardware/software, through a vendor-provided .DLL file designed for that purpose.You can use Azure Key Vault to protect on-premises data. There are many steps required to enable your Azure account with Azure Key Vault, which are detailed at setup steps for extensible key management using Azure Key Vault.
The steps inside SQL Server consist of the following:
Install the SQL Server Connector for Azure Key Vault from the Microsoft download center.
Run the following code to enable EKM providers:
Register the EKM module:
Setup a credential for SQL Server to connect to Azure:
Open the key vault:
You can then enable TDE by following the steps listed to use SQL Server with SQL Encryption.