Microsoft SQL

This document offers detailed guidance on integrating Microsoft SQL Server with Luna HSM devices or Luna Cloud HSM services. To effectively utilize this guide, a basic understanding of Microsoft SQL Server and Luna HSM concepts is assumed.

This integration enhances the security and management capabilities of cryptographic keys within the SQL Server environment. To establish this integration, you need to configure the Extensible Key Management (EKM) provider option in SQL Server. Microsoft SQL's EKM feature enables the effective use of Luna HSMs for critical cryptographic operations. This includes key storage, as well as tasks like key creation, deletion, encryption, and decryption. Luna HSM provides access to Luna EKM, including the EKM provider library.

The benefits of integrating Luna HSMs with Microsoft SQL Server include:

Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
Significant performance enhancements by offloading cryptographic operations from application servers.

Supported Platforms

This integration has been tested and verified on the following platforms:

HSM Type	Platform Tested	EKM Software Version	Microsoft SQL Server Version
Luna HSM	Windows Server 2019	EKM v1.5	Microsoft SQL Server 2022
Luna HSM	Windows Server 2019+CU2 (KB4536075)	EKM v1.5 EKM v1.4	Microsoft SQL Server 2019
Luna HSM	Windows Server 2016 Windows Server 2012 R2	EKM v1.4	Microsoft SQL Server 2017 Microsoft SQL Server 2016
Luna Cloud HSM	Windows Server 2019	EKM v1.5	Microsoft SQL Server 2022
Luna Cloud HSM	Windows Server 2019+CU2 (KB4536075)	EKM v1.5 EKM v1.4	Microsoft SQL Server 2019
Luna Cloud HSM	Windows Server 2016	EKM v1.4	Microsoft SQL Server 2017 Microsoft SQL Server 2016

Note

This integration has been tested in both HA and FIPS modes. Notably, SQL Server employs the CKM_RSA_PKCS mechanism for encryption/decryption, but this mechanism is restricted in FIPS mode starting from firmware version 7.7.2. Consequently, it's important to note that this integration is not supported in FIPS mode for Luna HSM firmware versions 7.7.2 and above.

Note

SQL Server employs the CKM_RSA_PKCS mechanism for encryption, yet it is not permitted by Luna Cloud HSM in FIPS mode. Consequently, the integration of SQL Server with Luna Cloud HSM is viable only in Non-FIPS mode.

Prerequisites

Before integrating, ensure that the following prerequisites are met:

1Set up Luna HSM

2Configure Luna EKM

3Configure SQL Server

Set up Luna HSM

As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.

Set up On-Premise Luna HSM

Follow these steps to set up your on-premise Luna HSM:

1Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

2Create a partition that will be later on used by Microsoft SQL.

3Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

4Initialize Crypto Officer and Crypto User roles for the registered partition.

5Run the following command to verify that the partition has been successfully registered and configured:

C:\Program Files\SafeNet\LunaClient>lunacm.exe

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v10.3.0-275. Copyright (c) 2020 SafeNet. All rights reserved.
Available HSMs:
Slot Id ->                           0
Label ->                             org.example.com
Serial Number ->                     1238696044924
Model ->                             LunaSA 7.4.0
Firmware Version ->                  7.4.0
Configuration ->                     Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->                  Net Token Slot
FM HW Status ->                      Non-FM

Note

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Set up Luna HSM in High Availability Mode

Refer to Luna HSM documentation for High Availability (HA) steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.

Set up Luna HSM in FIPS Mode

To configure Luna HSM in FIPS Mode, update the configuration file by adding or modifying the following setting within the [Misc] section:

RSAKeyGenMechRemap=1

This setting ensures that older calling mechanisms are redirected to the approved RSA key generation methods (186-3 with primes and 186-3 with aux primes) required for FIPS compliance. By making this configuration change, Luna HSM will be properly set up to operate in FIPS mode, adhering to the approved RSA key generation standards.

Note

The configuration setting mentioned above, RSAKeyGenMechRemap=1, is not required for the Universal Client. It is applicable only for Luna Client 7.x.

Set up Luna Cloud HSM

The following steps are applicable for setting up the Luna Cloud HSM on a Windows environment:

1Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

2Extract the .zip file into a directory on your client workstation.

3Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

cvclient-min.zip

4Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.

Note

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

5Run the LunaCM utility and verify that the Cloud HSM service is listed.

Note

If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.

Configure Luna EKM

Configure Luna EKM by following these steps:

1Install the Luna EKM on the host system. Download the Luna EKM package from the Thales support portal using the provided DOC IDs:

For EKM 1.5: KB0023244
For EKM 1.4: KB0016274
For EKM 1.3: KB0014957

Note

The installation program is Windows-based and will seamlessly guide you through the installation process.

Note

Luna EKM 1.5 introduces additional support for the crypto-user of the partition, enabling read-only operations like encryption or decryption.

2If you're using Luna EKM 1.5 and prefer a silent installation, execute the following command:

msiexec.exe /i LunaEKM.msi /qn INSTALLLEVEL=101 /l* EKM.txt

3After installing Luna EKM, manage it using the LunaEKMConfig utility, found in the Luna EKM installation folder. Employ the following commands in LunaEKMConfig:

To register a new slot with Luna EKM: RegisterSlot
To view the list of slots/HSMs configured with your client: ViewSlots
To configure logging settings for Luna EKM: LogSettings
Specify the log level using one of the following options: NONE=0, INFO=1, DEBUG=2
Specify the name and location of the log file using this format: LogFile name: <Name and location of LogFile>

Configure SQL Server

Install SQL Server on the designated machine. If you intend to set up a High Availability (Always On) SQL Server group, it's essential to install SQL Server on all nodes and verify that each node has access to Windows Failover Clustering Services (WFCS). For comprehensive installation procedures, consult the Microsoft SQL Server documentation.

Integrate Luna HSM with SQL Server

Follow these steps to establish and optimize the integration between Luna HSM and SQL Server for various key management and encryption functionalities:

1Enable EKM Provider option

2Create and register Luna EKM Provider

3Set up credential for Luna EKM Provider

4Use Luna EKM Provider option

5Enable TDE using asymmetric key

6Rotate Keys for TDE

7Migrate TDE from SQL EKM to Luna EKM

8Use EKM on a SQL Server failover cluster

Enable EKM Provider option

To activate the EKM Provider option, follow these steps:

1Launch the SQL Server Management Studio.

2Connect to the SQL Server.

3Open a new query window and run the following query:

sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO

Note

The sp_configure is compatible with the Enterprise, Developer, and Evaluation editions of SQL Server. Executing the command on a different version may result in an error.

Create and register Luna EKM Provider

To create and register the Luna EKM Provider, follow these steps:

1Launch the SQL Server Management Studio.

2Connect to the SQL Server.

3Open a new query window and execute the following command:

CREATE CRYPTOGRAPHIC PROVIDER <Name of Cryptographic Provider>
FROM FILE = '<Location of Luna EKM Provider Library>'

Note

Ensure the Name of Cryptographic Provider is a unique user-defined name. These steps facilitate the creation and registration of the Luna EKM Provider within your SQL Server environment.

4Verify the list of EKM providers:

SELECT [provider_id], [name], [guid], [version], [dll_path], [is_enabled]
FROM [model].[sys].[cryptographic_providers]

5Verify the provider properties:

SELECT [provider_id], [guid], [provider_version], [sqlcrypt_version], [friendly_name], [authentication_type],
[symmetric_key_support], [symmetric_key_persistance], [symmetric_key_export], [symmetric_key_import],
[asymmetric_key_support], [asymmetric_key_persistance], [asymmetric_key_export], [asymmetric_key_import]
FROM [master].[sys].[dm_cryptographic_provider_properties]

Set up credential for Luna EKM Provider

The next crucial step is to establish a credential for the Luna EKM Provider, mapping it to the SQL Service Account or the logged-in user authorized to use the Luna EKM Provider.

1Open a query window and execute the following command:

CREATE CREDENTIAL <Name of Credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM Partition Password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider

Note

In Luna EKM 1.5, it is essential to note that when creating a credential for the crypto-user of the partition, the IDENTITY value must include the prefix CU_. This prefix ensures proper identification and association with the crypto-user role. Failure to include the prefix will default to using the crypto-officer role for login to the HSM partition.

2Create a credential for a crypto-officer (CO):

CREATE CREDENTIAL EKMCredential
WITH IDENTITY='EKMUser', SECRET='userpin1'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider

3Create a credential for a crypto-user (CU):

CREATE CREDENTIAL EKMCredential 
WITH IDENTITY='CU_EKMUser', SECRET='userpin2'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider

4Map the credential with the SQL service account or login:

ALTER LOGIN [Domain\Login Name] ADD CREDENTIAL '<Name of Credential created>';

Note

Make sure to reopen the EKM session when there are changes to user credentials or the HSM service, or when the client machine is deleted from the service, or in the event of a network disconnection on the machine.

Use Luna EKM Provider option

The Luna EKM Provider has been prepared and is now available for use. This provider facilitates the generation and deletion of both symmetric and asymmetric keys within a Luna HSM partition. The keys generated can then be employed for encryption and decryption operations. Specifically, the SQL Server is capable of creating symmetric keys of different lengths (AES_128, AES_192, and AES_256) within the Luna HSM. These keys can be pivotal in securing sensitive data through encryption processes within the SQL Server environment.

Manage symmetric keys

Navigate through the sections below to gain comprehensive insights into the various facets of managing symmetric keys, ensuring a proficient and secure approach to key operations:

Note

The examples provided below use AES_256 algorithms. To explore other algorithms, replace AES_256 with an alternate algorithm tag.

Create symmetric keys

To create a symmetric key using the Luna EKM Provider, execute the following command from the SQL query window:

CREATE SYMMETRIC KEY SQL_EKM_AES_256_Key
FROM Provider LunaEKMProvider
WITH ALGORITHM = AES_256,
PROVIDER_KEY_NAME = 'EKM_AES_256_Key',
CREATION_DISPOSITION = CREATE_NEW

Note

Once a key is created on the Luna HSM, it can be referenced by name within the SQL Server. In the test case above, SQL_EKM_AES_256_Key serves as the unique name for the key in the SQL Server, applicable for encrypting and decrypting operations.

View symmetric keys

To view symmetric keys using the Luna EKM Provider, execute the following command:

SELECT * FROM [master].[sys].[symmetric_keys]

Encrypt a database table with symmetric keys

Follow these steps to encrypt a database table with symmetric keys:

1Create a test table in the MASTER database with fields:

CREATE TABLE test (
id NUMERIC(10),
name VARCHAR(50),
data VARCHAR(MAX)
)

2Execute the following command from the SQL query window:

INSERT INTO dbo.test
VALUES (1, 'some text', EncryptByKey(Key_GUID('SQL_EKM_AES_256_Key'), 'text to be encrypted'))

Decrypt a database table with symmetric keys

To decrypt a database table with symmetric keys using Luna EKM Provider, execute the following command from the SQL query window:

SELECT id, name, CONVERT(VARCHAR(MAX), DecryptByKey(data)) 
FROM dbo.test WHERE id = 1

Drop symmetric keys

To remove symmetric keys, execute the following command from the SQL query window:

DROP SYMMETRIC KEY SQL_EKM_AES_256_Key REMOVE PROVIDER KEY

Manage asymmetric keys

Navigate through the sections below to gain comprehensive insights into the various facets of managing asymmetric keys, ensuring heightened security through state-of-the-art cryptographic algorithms including RSA_2048, RSA_3072, and RSA_4096.

Note

The examples that follow focus on RSA_2048 algorithms for illustrating asymmetric key operations. Feel free to effortlessly swap RSA_2048 with any alternative algorithm tag of your choice.

Create and map asymmetric keys

To create and map asymmetric keys using the Luna EKM Provider:

1Run the following SQL command:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=CREATE_NEW

Note

SQL Server does not implement FIPS 186-4. Consequently, RSA key generation by SQL Server is unsupported when the HSM is in FIPS Mode. For HSM in FIPS mode, employ the CMU utility to generate the key via the command prompt:
cmu generatekeypair -label EKM_RSA_2048_Key -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T

2Map the key in SQL Server. After the key is created in the HSM, it needs to be mapped within SQL Server to establish a connection between the HSM key and its representation in the SQL Server database. This mapping process ensures that SQL Server recognizes and can appropriately use the key created in the external HSM for encryption and decryption operations. Run the following command to map the key:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=OPEN_EXISTING

Note

Once a key is created on Luna HSM, it becomes accessible by its name from SQL Server. For instance, in the test case above, SQL_EKM_RSA_2048_Key serves as the unique key name in SQL Server, applicable for encryption and decryption operations.

View asymmetric keys

To view asymmetric keys using Luna EKM Provider, execute the following command:

SELECT * FROM [master].[sys].[asymmetric_keys]

Encrypt a database table with asymmetric keys

To encrypt a database table with asymmetric keys:

1Create a test table in the MASTER database with fields:

CREATE TABLE test (
  id NUMERIC(10),
  name VARCHAR(50),
  data VARCHAR(MAX)
)

2Execute the following command from the SQL query window:

INSERT INTO dbo.test
VALUES (1, 'some text', EncryptByAsymKey(AsymKey_Id('SQL_EKM_RSA_2048_Key'), 'text to be encrypted'))

Decrypt a database table with asymmetric keys

To decrypt a database table with asymmetric keys, execute the following command from the SQL query window:

SELECT id, name, CONVERT(VARCHAR(MAX), DecryptByAsymKey(AsymKey_Id('SQL_EKM_RSA_2048_Key'), data)) 
FROM dbo.test WHERE id = 1

Drop asymmetric keys

To drop asymmetric keys using Luna EKM Provider, execute the following command from the SQL query window:

DROP ASYMMETRIC KEY SQL_EKM_RSA_2048_Key REMOVE PROVIDER KEY

Create symmetric key encrypted by asymmetric key

Follow these steps to create a symmetric key encrypted by an asymmetric key:

1Execute the following command in the SQL query window:

CREATE SYMMETRIC KEY key1
WITH ALGORITHM = AES_256
ENCRYPTION BY Asymmetric Key SQL_EKM_RSA_2048_Key;

Note

SQL_EKM_RSA_2048_Key refers to an existing asymmetric key on the Luna HSM. For details on generating an asymmetric key, consult the Manage asymmetric keys section.

2Open the key before you can use it for decryption operations:

sql OPEN SYMMETRIC KEY key1 DECRYPTION BY Asymmetric Key SQL_EKM_RSA_2048_Key;

Note

For Microsoft SQL Server 2017, apply the recommended patch, as described in the Troubleshooting Tips section.

3Create a test table in the master database with the following fields:

CREATE TABLE test (
  id NUMERIC(10),
  name VARCHAR(50),
  data VARCHAR(MAX)
)

4Encrypt the table data using the symmetric key:

INSERT INTO dbo.test
VALUES (1, 'some text', Encryptbykey(KEY_GUID('key1'), 'text to be encrypted'))

5Decrypt the data using the symmetric key:

SELECT id, name, CONVERT(VARCHAR(MAX), DecryptByKey(data)) 
FROM dbo.test WHERE id = 1

6Close the symmetric key:

CLOSE SYMMETRIC KEY key1

Enable TDE using asymmetric key

Enhance the security of your database by enabling Transparent Data Encryption (TDE) using an asymmetric key stored on a Luna HSM. Follow these steps for a seamless integration:

Note

Luna EKM v1.3 onwards introduces support for generating higher-length asymmetric keys, specifically RSA_3072 and RSA_4096. However, an issue has been identified during integration testing with TDE and RSA_4096 key. To ensure a seamless experience, we recommend utilizing a maximum key length of RSA_3072 for TDE until Microsoft resolves the issue. The integration guide will be promptly updated in alignment with any developments.

Note

Encryption operations cannot be executed on master, model, tempdb, msdb, or resource databases.

1Create an asymmetric key using Luna EKM Provider:

USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION=CREATE_NEW;

Note

For FIPS mode, generate the key using the CMU utility in the command prompt:
cmu generatekeypair -label EKM_RSA_2048_Key_TDE -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T

2Map the key in SQL Server:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION=OPEN_EXISTING;

3Create a credential for Luna EKM Provider:

CREATE CREDENTIAL <Name of credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM partition password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider;

4Create a login based on the asymmetric key:

CREATE LOGIN <Name of login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE;

5Map the credential to the login:

ALTER LOGIN <Name of Login> 
ADD CREDENTIAL <Name of credential>;

6Create a database encryption key:

CREATE DATABASE TDE;
USE TDE;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE;

7Enable TDE:

ALTER DATABASE TDE
SET ENCRYPTION ON;

8Query the status of database encryption:

SELECT DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e 
LEFT JOIN master.sys.asymmetric_keys AS c 
ON e.encryptor_thumbprint = c.thumbprint;

Rotate keys for TDE

To ensure the security of your TDE, it's essential to regularly update your encryption keys. Follow the steps below to rotate your TDE keys:

1Generate an asymmetric key, depending on whether your HSM is in non-FIPS or FIPS mode.

Non-FIPS mode

If your HSM is in non-FIPS mode, run the following command to generate an asymmetric key using the Luna EKM Provider:

USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=CREATE_NEW

FIPS mode

If your HSM is in FIPS mode, SQL Server's native RSA key generation isn't supported. Follow these instructions instead:

Open the command prompt and generate the key using the CMU utility provided with the HSM Client.

cmu generatekeypair -label EKM_RSA_2048_Key_TDE_Rot -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T

After generating the key, map it in SQL Server:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=OPEN_EXISTING

2Map the key in SQL Server:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=OPEN_EXISTING

3Create a credential for Luna EKM Provider:

CREATE CREDENTIAL <Name of credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM partition password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider

4Create a login based on the asymmetric key:

CREATE LOGIN <Name of login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot;

5Map the credential to the login:

ALTER LOGIN <Name of Login> 
ADD CREDENTIAL <Name of credential>;

6Enable TDE key rotation:

Rotate the Database Encryption Key (DEK):

USE tde;
ALTER DATABASE ENCRYPTION KEY
REGENERATE
WITH ALGORITHM = AES_128;

Rotate the asymmetric key used to encrypt the DEK:

ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot;
go
SELECT * FROM sys.dm_database_encryption_keys;
go

7Query the status of TDE after rotation:

SELECT DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint;

Migrate TDE from SQL EKM to Luna EKM

To migrate TDE from SQL EKM to Luna EKM, follow these steps:

1Create an asymmetric key:

USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_AW',
CREATION_DISPOSITION=CREATE_NEW

Note

SQL Server does not implement FIPS 186-4. For FIPS Mode, generate the key using CMU utility provided with the HSM Client:
cmu generatekeypair -label EKM_RSA_2048_Key_AW -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T

2Map the key in SQL Server:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_AW',
CREATION_DISPOSITION=OPEN_EXISTING

3Create a credential for Luna EKM Provider:

CREATE CREDENTIAL <Name of credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM partition password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider

4Create a login based on the asymmetric key:

CREATE LOGIN <Name of login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW;

5Map the credential to the login:

ALTER LOGIN <Name of Login> 
ADD CREDENTIAL <Name of credential>;

6Migrate TDE from SQL to Luna EKM.

Rotate DEK and migrate to KEK

To rotate the DEK and migrate to KEK created on Luna HSM:

Note

This example uses the AdventureWorks database. Please replace AdventureWorks with your actual database name.

1Perform a backup of both the database and transaction logs. Ensure the completion of the backup process, and then proceed to restart the SQL database for the changes to take effect.

2Rotate the DEK:

USE AdventureWorks;
ALTER DATABASE ENCRYPTION KEY
REGENERATE
WITH ALGORITHM = AES_256;

3Migrate to KEK:

USE AdventureWorks;
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW
Go
SELECT * FROM sys.dm_database_encryption_keys
Go

Migrate to KEK created on Luna HSM without rotating the DEK

To migrate to KEK created on Luna HSM without rotating the DEK:

Note

This example uses the AdventureWorks database. Please replace AdventureWorks with your actual database name.

1Back up the database and transaction logs. Restart the SQL database after backup completes.

2Migrate to KEK:

USE AdventureWorks;
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW;
Go
SELECT * FROM sys.dm_database_encryption_keys
Go

3Check the status of TDE after migration:

SELECT DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint

Once the query executes successfully, the screen will display the status of database encryption and its completion percentage. With this, the migration from SQL Server to Luna HSM or Luna Cloud HSM service is now complete.

Use EKM on SQL Server failover cluster

To use EKM on SQL Server failover cluster:

1Install failover cluster. Follow the SQL Server documentation for failover cluster installation. Set up shared storage for the SQL Server Cluster, determining the size based on the required number of certificates.

2Install the Luna HSM client on both nodes after ensuring the cluster's functionality.

3Configure the HSM on both nodes. Register the same partition or Cloud HSM service on both nodes in the SQL Server Cluster.

4Install the Luna EKM client on both nodes.

5Configure the Luna EKM provider on both nodes.

6Open SQL Server Management Studio to register the Luna EKM provider on the first node.

7Establish the credential on the first node.

8Generate encryption keys using the Luna EKM provider on the first node.

9Create a table and encrypt a column with the Luna EKM key on the first node.

10Shut down the first node.

11Log in to the second node and decrypt the data encrypted on the first node.

12Confirm successful decryption of the data on the second node, ensuring EKM with Luna EKM is functioning seamlessly within the SQL Server cluster.

Integrate Luna HSM with SQL Server HA group

To seamlessly integrate Luna HSM with SQL Server in a HA Group, follow these steps:

1Enable EKM Provider option

2Create and register Luna EKM Provider

3Set up credential for Luna EKM Provider

4Create Always On Availability Group

5Enable TDE using asymmetric key on Luna HSM

6Add encrypted database to Availability Group

7Rotate keys for TDE

Enable EKM Provider Option

To enable the EKM Provider option on all nodes in the HA configuration, follow these steps:

1Launch the SQL Server Management Studio (SSMS) application.

2Connect to the SQL Server.

3Open a query window, and execute the following commands:

sp_configure 'show advanced', 1;
GO
RECONFIGURE;
GO
sp_configure 'EKM provider enabled', 1;
GO
RECONFIGURE;
GO

Note

Ensure that you are using the Enterprise, Developer, or Evaluation editions of SQL Server. The sp_configure command may not be supported on alternative versions, leading to an error if executed.

Create and register Luna EKM Provider

Follow these steps to set up the Luna EKM provider, install the Luna EKM Software, and register it for use with SQL Server on all nodes in the HA configuration. To create and register the Luna EKM Provider:

1Launch the SSMS application.

2Establish a connection to the SQL Server instance.

3Create the cryptographic provider:

CREATE CRYPTOGRAPHIC PROVIDER <Name of Cryptographic Provider>
FROM FILE = '<Location of Luna EKM Provider Library>'

Note

Replace <Name of Cryptographic Provider> with a unique user-defined name. Ensure to provide the correct location for the Luna EKM Provider Library.

4View the list of EKM providers:

SELECT [provider_id], [name], [guid], [version], [dll_path], [is_enabled]
FROM [model].[sys].[cryptographic_providers]

5View the provider properties:

SELECT [provider_id], [guid], [provider_version], [sqlcrypt_version], [friendly_name], [authentication_type],
[symmetric_key_support], [symmetric_key_persistance], [symmetric_key_export], [symmetric_key_import],
[asymmetric_key_support], [asymmetric_key_persistance], [asymmetric_key_export], [asymmetric_key_import]
FROM [master].[sys].[dm_cryptographic_provider_properties]

Set up credential for Luna EKM Provider

To set up credential for Luna EKM Provider:

1Execute the following command to create the credential:

CREATE CREDENTIAL <Name of Credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM partition password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider;

Note

Replace <Name of Credential> and <Name of EKM User> with user-defined names.

2Map the credential to the SQL service account or login:

ALTER LOGIN [Domain\Login Name]
ADD CREDENTIAL <Name of Credential created>;

Note

We recommend using a domain user on all SQL Server nodes. Ensure to reopen the EKM session if the user changes the HSM service, or the client machine is deleted from the service, or the machine suffers a network disconnection.

Create Always On Availability Group

To create Always On Availability Group:

1Open Microsoft SQL Server Management Studio on the primary node.

2Create a database.

3Back up the database to a shared network location accessible by all SQL Server nodes.

4Open the Always On Availability Group Creation wizard and follow these steps:

Launch the wizard.
Specify the name for the Availability Group.
Add the participating nodes (primary and secondary) to the Availability Group.
Configure the necessary settings, such as failover mode and backups.

Note

Refer to the Microsoft Documentation for detailed instructions on creating the Always On Availability Group.

Create encryption keys for Availability Group database

You can use the Luna EKM provider to create/drop symmetric and asymmetric keys to/from the HSM and can perform encryption/decryption using these keys.

Create symmetric key using the Luna EKM Provider

To create a symmetric key using the Luna EKM Provider:

1Open SQL Server Management Studio (SSMS) on the primary node.

2Execute the following command in the SQL query window:

USE HSMDB;

3Execute the following command to create a symmetric key using the Luna EKM Provider:

CREATE SYMMETRIC KEY SQL_EKM_AES_256_Key
FROM Provider LunaEKMProvider
WITH ALGORITHM = AES_256,
PROVIDER_KEY_NAME = 'EKM_AES_256_Key',
CREATION_DISPOSITION = CREATE_NEW;

Note

After creating the key on Luna HSM, you can reference it by its unique name in SQL Server. For instance, use the name SQL_EKM_AES_256_Key to identify and utilize this key within SQL Server.

View symmetric keys using the Luna EKM Provider

To view symmetric keys using the Luna EKM Provider, execute the following command:

SELECT * FROM [hsmdb].[sys].[symmetric_keys];

Encrypt a database table with symmetric keys

To encrypt a database table with symmetric keys using the Luna EKM Provider:

1Create a test table in the HSMDB database with the following fields:

CREATE TABLE test (
id NUMERIC(10),
name VARCHAR(50),
data VARCHAR(MAX)
);

2Execute the following command:

INSERT INTO dbo.test
VALUES (1, 'some text', EncryptByKey(Key_GUID('SQL_EKM_AES_256_Key'), 'text to be encrypted'));

Decrypt a database table with symmetric keys using the Luna EKM Provider

To decrypt a database table with symmetric keys using the Luna EKM Provider:

1Execute the following command:

SELECT id, name, CONVERT(VARCHAR(MAX), DecryptByKey(data)) 
FROM dbo.test WHERE id = 1;

2Execute the above command on the secondary replica and verify that the output is the same as the primary replica.

Create asymmetric keys on Luna HSM

To generate the asymmetric key using the Luna EKM Provider:

1Execute the following command in the SQL query window:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=CREATE_NEW;

Note

SQL Server does not adhere to FIPS 186-4, and consequently, RSA key generation by SQL Server is not supported when the Hardware Security Module (HSM) is in FIPS Mode. Please follow the provided steps for generating an RSA Key when the HSM is in FIPS mode.

2When using HSM in FIPS mode, open the command prompt and generate the key using the CMU utility provided with HSM Client:

cmu generatekeypair -label EKM_RSA_2048_Key -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T

3Map the key in SQL Server:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=OPEN_EXISTING;

Note

Once a key is created, it can be used or referred to by its name in SQL Server. For example, in the above test case, SQL_EKM_RSA_2048_Key is the unique name of the key in SQL Server, and this key name can be used for encrypt and decrypt operations.

View asymmetric keys using Luna EKM Provider

To view asymmetric keys using the Luna EKM Provider, execute the following command from the SQL query window:

SELECT * FROM [hsmdb].[sys].[asymmetric_keys];

Encrypt a database table with asymmetric keys

To encrypt a database table with asymmetric keys using the Luna EKM Provider, execute the following command from the SQL query window:

INSERT INTO dbo.test
VALUES (2, 'some text', EncryptByAsymKey(AsymKey_Id('SQL_EKM_RSA_2048_Key'), 'text to be encrypted'));

Decrypt a database table with asymmetric keys

To decrypt a database table with asymmetric keys using the Luna EKM Provider:

1Execute the following command from the SQL query window:

SELECT id, name, CONVERT(varchar(MAX), DecryptByAsymKey(AsymKey_Id('SQL_EKM_RSA_2048_Key'), data))
FROM dbo.test WHERE id = 2;

2Execute the above command on the secondary replica and verify that the output is the same as the primary replica.

Create symmetric key encrypted by asymmetric key on Luna HSM

Enhancing the security of symmetric keys is achieved by encrypting them with an asymmetric key. Follow these steps to create a symmetric key encrypted by an existing asymmetric key:

1Launch SQL Server Management Studio (SSMS) on the primary node.

2Execute the following command in the SQL query window:

CREATE SYMMETRIC KEY key1
WITH ALGORITHM = AES_256
ENCRYPTION BY Asymmetric Key SQL_EKM_RSA_2048_Key;

Note

Ensure that the specified asymmetric key (SQL_EKM_RSA_2048_Key) is already present in the database before attempting to use it for encrypting a symmetric key. If the specified asymmetric key does not exist, you should create it first before proceeding with the command to create the symmetric key.

3Prior to utilizing the key, open it using the command:

OPEN SYMMETRIC KEY key1 DECRYPTION BY Asymmetric Key SQL_EKM_RSA_2048_Key;

Note

If you are using Microsoft SQL Server 2017, apply the recommended patch mentioned in the Troubleshooting Tips section.

4Encrypt data utilizing key1.

INSERT INTO dbo.test
VALUES (3, 'some text',
ENCRYPTBYKEY(KEY_GUID('Key1'), 'text to be encrypted'))

5Decrypt data with key1.

SELECT id, name, CONVERT(varchar(MAX),
DECRYPTBYKEY(data))
FROM dbo.test
WHERE id = 3

6Close the symmetric key.

CLOSE SYMMETRIC KEY key1

7Execute steps 3-6 on the secondary replica and verify consistency with the primary replica's output.

Enable TDE using asymmetric key on Luna HSM

Note

In Luna EKM v1.3 and later, enhanced support for creating longer asymmetric keys, specifically RSA_3072 and RSA_4096, has been introduced. However, it's crucial to be aware of a known issue identified during integration testing involving TDE encryption using an RSA_4096 key for the Data Encryption Key (DEK). This issue has been promptly reported to Microsoft technical support. As a precautionary measure, until the matter is resolved, it is advisable to utilize a maximum key length of RSA_3072 when implementing TDE. Any updates or changes will be reflected in the integration guide once the issue is resolved.

Note

Database encryption operations cannot be executed on master, model, tempdb, msdb, or resource databases.

To enable Transparent Data Encryption (TDE) using an asymmetric key stored on a Luna HSM, follow these steps:

1Create an asymmetric key on the primary replica:

USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION = CREATE_NEW;

Note

2If you are operating the HSM in FIPS mode:

Execute the following command in the command prompt to generate the key using the CMU utility provided with the HSM Client:

cmu generatekeypair -label EKM_RSA_2048_Key_TDE -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T

Proceed to map the generated key in SQL Server using the following script:

CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION=OPEN_EXISTING

3Create the same asymmetric key on the secondary replica:

USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION = OPEN_EXISTING;

4Create a credential for Luna EKM Provider:

CREATE CREDENTIAL <Name_of_credential>
WITH IDENTITY = '<Name_of_EKM_User>', SECRET = '<HSM_partition_password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider;

5Create a login based on the asymmetric key:

CREATE LOGIN <Name_of_login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE;

6Map the credential to the login:

ALTER LOGIN <Name_of_Login>
ADD CREDENTIAL <Name_of_credential>;

7Execute steps 2-5 on all secondary nodes:

Note

It is essential to repeat the procedure for every node in the database. This is necessary because the TDE encryption key, credential, and login are objects residing in the master database and are not automatically replicated when including a node in the Availability Groups.

8Create a database encryption key on the primary node:

USE TDE;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE;

9Enable TDE:

ALTER DATABASE TDE
SET ENCRYPTION ON;

10Query the status of database encryption:

SELECT
  DB_NAME(e.database_id) AS DatabaseName,
  e.database_id,
  e.encryption_state,
  CASE e.encryption_state
    WHEN 0 THEN 'No DB encryption key present, no encryption'
    WHEN 1 THEN 'Unencrypted'
    WHEN 2 THEN 'Encryption in progress'
    WHEN 3 THEN 'Encrypted'
    WHEN 4 THEN 'Key change in progress'
    WHEN 5 THEN 'Decryption in progress'
  END AS encryption_state_desc,
  c.name,
  e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
  ON e.encryptor_thumbprint = c.thumbprint;

Add an encrypted database to Availability Group

Before integrating your already encrypted database into the Availability Group, ensure you've backed up the encrypted database to a network location accessible by all secondary nodes. Follow these customer-friendly steps to add the encrypted database to the Availability Group:

1Launch SMS on the primary node where your encrypted database resides.

2Add database to Availability Group (such as, AGroup):

USE master;
ALTER AVAILABILITY GROUP AGroup ADD DATABASE tde;

Note

This command adds the database to the Availability Group, but it's not yet accessible on the secondary node.

3Restore the database on the secondary node from the location where you stored the encrypted database. Use the RESTORE WITH NORECOVERY parameter.

4Add the database on the secondary node:

USE master;
ALTER DATABASE tde SET HADR AVAILABILITY GROUP = AGroup;

5Query the status of database encryption and its completion percentage on the secondary node:

SELECT 
DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e 
LEFT JOIN master.sys.asymmetric_keys AS c 
ON e.encryptor_thumbprint = c.thumbprint;

Rotate keys for TDE

Regularly updating your Transparent Database Encryption (TDE) security keys is essential for maintaining a robust security posture. Follow these steps to rotate your TDE keys seamlessly:

1Create an asymmetric key on the primary node:

USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=CREATE_NEW;

Note

SQL Server does not implement FIPS 186-4. If using HSM in FIPS mode:
a. Execute the following command in the command prompt to generate the key using the CMU utility provided with the HSM Client:
cmu generatekeypair -label EKM_RSA_2048_Key_TDE_Rot -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T
b. Map the key in SQL Server:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=OPEN_EXISTING;

2Create the same asymmetric key on a secondary node:

USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=OPEN_EXISTING;

3Create a credential for Luna EKM Provider:

CREATE CREDENTIAL <Name of Credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM Partition Password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider;

4Create a login based on the asymmetric key:

CREATE LOGIN <Name of Login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot;

5Map the credential to the created login:

ALTER LOGIN <Name of Login> 
ADD CREDENTIAL <Name of Credential>;

6Repeat Steps 2-5 for All Secondary Nodes.

Note

7Enable TDE key rotation on the primary replica:

USE tde;
ALTER DATABASE ENCRYPTION KEY
REGENERATE
WITH ALGORITHM = AES_128

ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot;
go 
SELECT * FROM sys.dm_database_encryption_keys;
go

8Query the status of database encryption and key rotation:

SELECT 
DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint;

Troubleshooting tips

Here are some troubleshooting tips for problems related to SQL Server and cryptographic operations.

Problem 1: Failed to verify Authenticode signature on DLL

Error Message: Failed to verify Authenticode signature on DLL 'C:\Program Files\LunaPCI\EKM\LunaEKM.dll'.

Solution:

1Visit http://www.verisign.com/support/roots.html and download all root certificates.

2Install the downloaded certificate.

3Import the certificate into the Trusted Root Certification Authorities store.

Problem 2: CREATE CRYPTOGRAPHIC PROVIDER fails with error code 1

Error Message: Cannot initialize cryptographic provider. Provider error code: 1. (Failure - Consult EKM Provider for details)

Solution:

1Reboot the OS server.

2Try to create the cryptographic provider again.

Problem 3: Unable to open symmetric key encrypted by asymmetric key

Error Message: An error occurred during decryption. Msg 15466, Level 16, State 28, Line 1.

Solution:

1Download the cumulative update package for SQL Server provided by Microsoft.

2Apply the cumulative update to resolve the decryption issue.

3The cumulative update package can be found at https://support.microsoft.com/en-us/help/4342123/cumulative-update-10-for-sql-server-2017.

Microsoft SQL

Supported Platforms

Prerequisites

Set up Luna HSM

Set up On-Premise Luna HSM

Set up Luna HSM in High Availability Mode

Set up Luna HSM in FIPS Mode

Set up Luna Cloud HSM

Configure Luna EKM

Configure SQL Server

Integrate Luna HSM with SQL Server

Enable EKM Provider option

Create and register Luna EKM Provider

Set up credential for Luna EKM Provider

Use Luna EKM Provider option

Manage symmetric keys

Create symmetric keys

View symmetric keys

Encrypt a database table with symmetric keys

Decrypt a database table with symmetric keys

Drop symmetric keys

Manage asymmetric keys

Create and map asymmetric keys

View asymmetric keys

Encrypt a database table with asymmetric keys

Decrypt a database table with asymmetric keys

Drop asymmetric keys

Create symmetric key encrypted by asymmetric key

Enable TDE using asymmetric key

Rotate keys for TDE

Migrate TDE from SQL EKM to Luna EKM

Rotate DEK and migrate to KEK

Migrate to KEK created on Luna HSM without rotating the DEK

Use EKM on SQL Server failover cluster

Integrate Luna HSM with SQL Server HA group

Enable EKM Provider Option

Create and register Luna EKM Provider

Set up credential for Luna EKM Provider

Create Always On Availability Group

Create encryption keys for Availability Group database

Create symmetric key using the Luna EKM Provider

View symmetric keys using the Luna EKM Provider

Encrypt a database table with symmetric keys

Decrypt a database table with symmetric keys using the Luna EKM Provider

Create asymmetric keys on Luna HSM

View asymmetric keys using Luna EKM Provider

Encrypt a database table with asymmetric keys

Decrypt a database table with asymmetric keys

Create symmetric key encrypted by asymmetric key on Luna HSM

Enable TDE using asymmetric key on Luna HSM

Add an encrypted database to Availability Group

Rotate keys for TDE

Troubleshooting tips

Problem 1: Failed to verify Authenticode signature on DLL

Problem 2: CREATE CRYPTOGRAPHIC PROVIDER fails with error code 1

Problem 3: Unable to open symmetric key encrypted by asymmetric key

On this page