Creating Keys
This section describes the following topics:
Creating Asymmetric Key
To create an asymmetric key, execute the following commands:
CREATE ASYMMETRIC KEY <key_name_in_sql_server>
FROM PROVIDER <provider_name>
WITH ALGORITHM = <algorithm_name>,
PROVIDER_KEY_NAME = '<key_name_in_cipherTrust_manager>',
CREATION_DISPOSITION=CREATE_NEW;
For example:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM PROVIDER <provider_name>
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=CREATE_NEW;
Creating Symmetric Key
To create a symmetric key, execute the following commands:
CREATE SYMMETRIC KEY <key_name_in_sql_server>
FROM PROVIDER <provider_name>
WITH ALGORITHM = <algorithm_name>,
PROVIDER_KEY_NAME = '<key_name_in_cipherTrust_manager>',
CREATION_DISPOSITION=CREATE_NEW;
For example:
CREATE SYMMETRIC KEY SQL_EKM_AES_128_Key
FROM PROVIDER <provider_name>
WITH ALGORITHM = AES_128,
PROVIDER_KEY_NAME = 'EKM_AES_128_Key',
CREATION_DISPOSITION=CREATE_NEW;
Tip
According to Microsoft, you can use <key_options>IDENTITY_VALUE = 'identity_phrase' as an option in the query while creating a symmetric key. This will help you to obtain the decrypted data even if the AES key is deleted from the SQL database. For more information, click here.
Here's an example of using identity_phrase in the query while creating a symmetric key.:
CREATE SYMMETRIC KEY <key_name_in_sql_server>
FROM PROVIDER <provider_name>
WITH ALGORITHM = <algorithm_name>,
PROVIDER_KEY_NAME = '<key_name_in_cipherTrust_manager>',
IDENTITY_VALUE = '<identity phrase>',
CREATION_DISPOSITION=CREATE_NEW;
In case, Symmetric Key is deleted from the database and if you want to decrypt data using the deleted key, execute the CREATE SYMMETRIC KEY query with OPEN_EXISTING and IDENTITY_VALUE = 'identity_phrase' key option:
CREATE SYMMETRIC KEY <key_name_in_sql_server>
FROM PROVIDER <provider_name>
WITH ALGORITHM = <algorithm_name>,
PROVIDER_KEY_NAME = '<key_name_in_cipherTrust_manager>',
IDENTITY_VALUE = '<identity phrase>',
CREATION_DISPOSITION=OPEN_EXISTING;
Note
If you need minimum key usage priveleges for a particular key (symmetric or assymetric), you can provide below key usage priveleges through the CM:
Encrypt
Decrypt
In case of enabling the caching functionality, you need to enable the exportable feature for the generated key on CM.
