Microsoft SQL
This document offers detailed guidance on integrating Microsoft SQL Server with Luna HSM devices or Luna Cloud HSM services. To effectively utilize this guide, a basic understanding of Microsoft SQL Server and Luna HSM concepts is assumed.
This integration enhances the security and management capabilities of cryptographic keys within the SQL Server environment. To establish this integration, you need to configure the Extensible Key Management (EKM) provider option in SQL Server. Microsoft SQL's EKM feature enables the effective use of Luna HSMs for critical cryptographic operations. This includes key storage, as well as tasks like key creation, deletion, encryption, and decryption. Luna HSM provides access to Luna EKM, including the EKM provider library.
The benefits of integrating Luna HSMs with Microsoft SQL Server include:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | Platform Tested | EKM Software Version | Microsoft SQL Server Version |
|---|---|---|---|
| Luna HSM | Windows Server 2019 | EKM v1.5 | Microsoft SQL Server 2022 |
| Luna HSM | Windows Server 2019+CU2 (KB4536075) | EKM v1.5 EKM v1.4 |
Microsoft SQL Server 2019 |
| Luna HSM | Windows Server 2016 Windows Server 2012 R2 |
EKM v1.4 | Microsoft SQL Server 2017 Microsoft SQL Server 2016 |
| Luna Cloud HSM | Windows Server 2019 | EKM v1.5 | Microsoft SQL Server 2022 |
| Luna Cloud HSM | Windows Server 2019+CU2 (KB4536075) | EKM v1.5 EKM v1.4 |
Microsoft SQL Server 2019 |
| Luna Cloud HSM | Windows Server 2016 | EKM v1.4 | Microsoft SQL Server 2017 Microsoft SQL Server 2016 |
This integration has been tested in both HA and FIPS modes. Notably, SQL Server employs the CKM_RSA_PKCS mechanism for encryption/decryption, but this mechanism is restricted in FIPS mode starting from firmware version 7.7.2. Consequently, it's important to note that this integration is not supported in FIPS mode for Luna HSM firmware versions 7.7.2 and above.
SQL Server employs the CKM_RSA_PKCS mechanism for encryption, yet it is not permitted by Luna Cloud HSM in FIPS mode. Consequently, the integration of SQL Server with Luna Cloud HSM is viable only in Non-FIPS mode.
Prerequisites
Before integrating, ensure that the following prerequisites are met:
Set up Luna HSM
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by Microsoft SQL.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
C:\Program Files\SafeNet\LunaClient>lunacm.exe
Upon successful execution, you should observe an output similar to the example provided below:
lunacm.exe (64-bit) v10.3.0-275. Copyright (c) 2020 SafeNet. All rights reserved. Available HSMs: Slot Id -> 0 Label -> org.example.com Serial Number -> 1238696044924 Model -> LunaSA 7.4.0 Firmware Version -> 7.4.0 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> Non-FM
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
Set up Luna HSM in High Availability Mode
Refer to Luna HSM documentation for High Availability (HA) steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
Set up Luna HSM in FIPS Mode
To configure Luna HSM in FIPS Mode, update the configuration file by adding or modifying the following setting within the [Misc] section:
RSAKeyGenMechRemap=1
This setting ensures that older calling mechanisms are redirected to the approved RSA key generation methods (186-3 with primes and 186-3 with aux primes) required for FIPS compliance. By making this configuration change, Luna HSM will be properly set up to operate in FIPS mode, adhering to the approved RSA key generation standards.
The configuration setting mentioned above, RSAKeyGenMechRemap=1, is not required for the Universal Client. It is applicable only for Luna Client 7.x.
Set up Luna Cloud HSM
The following steps are applicable for setting up the Luna Cloud HSM on a Windows environment:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
cvclient-min.zip
Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.
To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
Run the LunaCM utility and verify that the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Configure Luna EKM
Configure Luna EKM by following these steps:
Install the Luna EKM on the host system. Download the Luna EKM package from the Thales support portal using the provided DOC IDs:
The installation program is Windows-based and will seamlessly guide you through the installation process.
Luna EKM 1.5 introduces additional support for the crypto-user of the partition, enabling read-only operations like encryption or decryption.
If you're using Luna EKM 1.5 and prefer a silent installation, execute the following command:
msiexec.exe /i LunaEKM.msi /qn INSTALLLEVEL=101 /l* EKM.txt
After installing Luna EKM, manage it using the LunaEKMConfig utility, found in the Luna EKM installation folder. Employ the following commands in LunaEKMConfig:
-
To register a new slot with Luna EKM:
RegisterSlot -
To view the list of slots/HSMs configured with your client:
ViewSlots -
To configure logging settings for Luna EKM:
LogSettings -
Specify the log level using one of the following options:
NONE=0,INFO=1,DEBUG=2 -
Specify the name and location of the log file using this format:
LogFile name: <Name and location of LogFile>
Configure SQL Server
Install SQL Server on the designated machine. If you intend to set up a High Availability (Always On) SQL Server group, it's essential to install SQL Server on all nodes and verify that each node has access to Windows Failover Clustering Services (WFCS). For comprehensive installation procedures, consult the Microsoft SQL Server documentation.
Integrate Luna HSM with SQL Server
Follow these steps to establish and optimize the integration between Luna HSM and SQL Server for various key management and encryption functionalities:
Create and register Luna EKM Provider
Set up credential for Luna EKM Provider
Enable TDE using asymmetric key
Enable EKM Provider option
To activate the EKM Provider option, follow these steps:
Launch the SQL Server Management Studio.
Connect to the SQL Server.
Open a new query window and run the following query:
sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO
The sp_configure is compatible with the Enterprise, Developer, and Evaluation editions of SQL Server. Executing the command on a different version may result in an error.
Create and register Luna EKM Provider
To create and register the Luna EKM Provider, follow these steps:
Launch the SQL Server Management Studio.
Connect to the SQL Server.
Open a new query window and execute the following command:
CREATE CRYPTOGRAPHIC PROVIDER <Name of Cryptographic Provider>
FROM FILE = '<Location of Luna EKM Provider Library>'
Ensure the <Name of Cryptographic Provider> is a unique user-defined name. These steps facilitate the creation and registration of the Luna EKM Provider within your SQL Server environment.
Verify the list of EKM providers:
SELECT [provider_id], [name], [guid], [version], [dll_path], [is_enabled]
FROM [model].[sys].[cryptographic_providers]
- Verify the provider properties:
SELECT [provider_id], [guid], [provider_version], [sqlcrypt_version], [friendly_name], [authentication_type],
[symmetric_key_support], [symmetric_key_persistance], [symmetric_key_export], [symmetric_key_import],
[asymmetric_key_support], [asymmetric_key_persistance], [asymmetric_key_export], [asymmetric_key_import]
FROM [master].[sys].[dm_cryptographic_provider_properties]
Set up credential for Luna EKM Provider
The next crucial step is to establish a credential for the Luna EKM Provider, mapping it to the SQL Service Account or the logged-in user authorized to use the Luna EKM Provider.
Open a query window and execute the following command:
CREATE CREDENTIAL <Name of Credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM Partition Password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider
In Luna EKM 1.5, it is essential to note that when creating a credential for the crypto-user of the partition, the IDENTITY value must include the prefix CU_. This prefix ensures proper identification and association with the crypto-user role. Failure to include the prefix will default to using the crypto-officer role for login to the HSM partition.
Create a credential for a crypto-officer (CO):
CREATE CREDENTIAL EKMCredential
WITH IDENTITY='EKMUser', SECRET='userpin1'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider
Create a credential for a crypto-user (CU):
CREATE CREDENTIAL EKMCredential
WITH IDENTITY='CU_EKMUser', SECRET='userpin2'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider
Map the credential with the SQL service account or login:
ALTER LOGIN [Domain\Login Name]
ADD CREDENTIAL <Name of Credential created>
Make sure to reopen the EKM session when there are changes to user credentials or the HSM service, or when the client machine is deleted from the service, or in the event of a network disconnection on the machine.
Use Luna EKM Provider option
The Luna EKM Provider has been prepared and is now available for use. This provider facilitates the generation and deletion of both symmetric and asymmetric keys within a Luna HSM partition. The keys generated can then be employed for encryption and decryption operations. Specifically, the SQL Server is capable of creating symmetric keys of different lengths (AES_128, AES_192, and AES_256) within the Luna HSM. These keys can be pivotal in securing sensitive data through encryption processes within the SQL Server environment.
Manage symmetric keys
Navigate through the sections below to gain comprehensive insights into the various facets of managing symmetric keys, ensuring a proficient and secure approach to key operations:
The examples provided below use AES_256 algorithms. To explore other algorithms, replace AES_256 with an alternate algorithm tag.
Create symmetric keys
To create a symmetric key using the Luna EKM Provider, execute the following command from the SQL query window:
CREATE SYMMETRIC KEY SQL_EKM_AES_256_Key
FROM Provider LunaEKMProvider
WITH ALGORITHM = AES_256,
PROVIDER_KEY_NAME = 'EKM_AES_256_Key',
CREATION_DISPOSITION = CREATE_NEW
Once a key is created on the Luna HSM, it can be referenced by name within the SQL Server. In the test case above, SQL_EKM_AES_256_Key serves as the unique name for the key in the SQL Server, applicable for encrypting and decrypting operations.
View symmetric keys
To view symmetric keys using the Luna EKM Provider, execute the following command:
SELECT * FROM [master].[sys].[symmetric_keys]
Encrypt a database table with symmetric keys
Follow these steps to encrypt a database table with symmetric keys:
Create a test table in the MASTER database with fields:
CREATE TABLE test (
id NUMERIC(10),
name VARCHAR(50),
data VARCHAR(MAX)
)
Execute the following command from the SQL query window:
INSERT INTO dbo.test
VALUES (1, 'some text', EncryptByKey(Key_GUID('SQL_EKM_AES_256_Key'), 'text to be encrypted'))
Decrypt a database table with symmetric keys
To decrypt a database table with symmetric keys using Luna EKM Provider, execute the following command from the SQL query window:
SELECT id, name, CONVERT(VARCHAR(MAX), DecryptByKey(data))
FROM dbo.test WHERE id = 1
Drop symmetric keys
To remove symmetric keys, execute the following command from the SQL query window:
DROP SYMMETRIC KEY SQL_EKM_AES_256_Key REMOVE PROVIDER KEY
Manage asymmetric keys
Navigate through the sections below to gain comprehensive insights into the various facets of managing asymmetric keys, ensuring heightened security through state-of-the-art cryptographic algorithms including RSA_2048, RSA_3072, and RSA_4096.
The examples that follow focus on RSA_2048 algorithms for illustrating asymmetric key operations. Feel free to effortlessly swap RSA_2048 with any alternative algorithm tag of your choice.
Create and map asymmetric keys
To create and map asymmetric keys using the Luna EKM Provider:
Run the following SQL command:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=CREATE_NEW
SQL Server does not implement FIPS 186-4. Consequently, RSA key generation by SQL Server is unsupported when the HSM is in FIPS Mode. For HSM in FIPS mode, employ the CMU utility to generate the key via the command prompt:
cmu generatekeypair -label EKM_RSA_2048_Key -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T
Map the key in SQL Server. After the key is created in the HSM, it needs to be mapped within SQL Server to establish a connection between the HSM key and its representation in the SQL Server database. This mapping process ensures that SQL Server recognizes and can appropriately use the key created in the external HSM for encryption and decryption operations. Run the following command to map the key:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=OPEN_EXISTING
Once a key is created on Luna HSM, it becomes accessible by its name from SQL Server. For instance, in the test case above, SQL_EKM_RSA_2048_Key serves as the unique key name in SQL Server, applicable for encryption and decryption operations.
View asymmetric keys
To view asymmetric keys using Luna EKM Provider, execute the following command:
SELECT * FROM [master].[sys].[asymmetric_keys]
Encrypt a database table with asymmetric keys
To encrypt a database table with asymmetric keys:
Create a test table in the MASTER database with fields:
CREATE TABLE test (
id NUMERIC(10),
name VARCHAR(50),
data VARCHAR(MAX)
)
Execute the following command from the SQL query window:
INSERT INTO dbo.test
VALUES (1, 'some text', EncryptByAsymKey(AsymKey_Id('SQL_EKM_RSA_2048_Key'), 'text to be encrypted'))
Decrypt a database table with asymmetric keys
To decrypt a database table with asymmetric keys, execute the following command from the SQL query window:
SELECT id, name, CONVERT(VARCHAR(MAX), DecryptByAsymKey(AsymKey_Id('SQL_EKM_RSA_2048_Key'), data))
FROM dbo.test WHERE id = 1
Drop asymmetric keys
To drop asymmetric keys using Luna EKM Provider, execute the following command from the SQL query window:
DROP ASYMMETRIC KEY SQL_EKM_RSA_2048_Key REMOVE PROVIDER KEY
Create symmetric key encrypted by asymmetric key
Follow these steps to create a symmetric key encrypted by an asymmetric key:
Execute the following command in the SQL query window:
CREATE SYMMETRIC KEY key1
WITH ALGORITHM = AES_256
ENCRYPTION BY Asymmetric Key SQL_EKM_RSA_2048_Key;
SQL_EKM_RSA_2048_Key refers to an existing asymmetric key on the Luna HSM. For details on generating an asymmetric key, consult the Manage asymmetric keys section.
Open the key before you can use it for decryption operations:
OPEN SYMMETRIC KEY key1 DECRYPTION BY Asymmetric Key SQL_EKM_RSA_2048_Key;
For Microsoft SQL Server 2017, apply the recommended patch, as described in the Troubleshooting Tips section.
Create a test table in the master database with the following fields:
CREATE TABLE test (
id NUMERIC(10),
name VARCHAR(50),
data VARCHAR(MAX)
)
Encrypt the table data using the symmetric key:
INSERT INTO dbo.test
VALUES (1, 'some text', Encryptbykey(KEY_GUID('key1'), 'text to be encrypted'))
Decrypt the data using the symmetric key:
SELECT id, name, CONVERT(VARCHAR(MAX), DecryptByKey(data))
FROM dbo.test WHERE id = 1
Close the symmetric key:
CLOSE SYMMETRIC KEY key1
Enable TDE using asymmetric key
Enhance the security of your database by enabling Transparent Data Encryption (TDE) using an asymmetric key stored on a Luna HSM. Follow these steps for a seamless integration:
Luna EKM v1.3 onwards introduces support for generating higher-length asymmetric keys, specifically RSA_3072 and RSA_4096. However, an issue has been identified during integration testing with TDE and RSA_4096 key. To ensure a seamless experience, we recommend utilizing a maximum key length of RSA_3072 for TDE until Microsoft resolves the issue. The integration guide will be promptly updated in alignment with any developments.
Encryption operations cannot be executed on master, model, tempdb, msdb, or resource databases.
Create an asymmetric key using Luna EKM Provider:
USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION=CREATE_NEW;
For FIPS mode, generate the key using the CMU utility in the command prompt:
cmu generatekeypair -label EKM_RSA_2048_Key_TDE -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T
Map the key in SQL Server:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION=OPEN_EXISTING;
Create a credential for Luna EKM Provider:
CREATE CREDENTIAL <Name of credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM partition password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider;
Create a login based on the asymmetric key:
CREATE LOGIN <Name of login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE;
Map the credential to the login:
ALTER LOGIN <Name of Login>
ADD CREDENTIAL <Name of credential>;
Create a database encryption key:
CREATE DATABASE TDE;
USE TDE;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE;
Enable TDE:
ALTER DATABASE TDE
SET ENCRYPTION ON;
Query the status of database encryption:
SELECT DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint;
Rotate keys for TDE
To ensure the security of your TDE, it's essential to regularly update your encryption keys. Follow the steps below to rotate your TDE keys:
Generate an asymmetric key, depending on whether your HSM is in non-FIPS or FIPS mode.
Non-FIPS mode
If your HSM is in non-FIPS mode, run the following command to generate an asymmetric key using the Luna EKM Provider:
USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=CREATE_NEW
FIPS mode
If your HSM is in FIPS mode, SQL Server's native RSA key generation isn't supported. Follow these instructions instead:
- Open the command prompt and generate the key using the CMU utility provided with the HSM Client.
cmu generatekeypair -label EKM_RSA_2048_Key_TDE_Rot -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T
- After generating the key, map it in SQL Server:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=OPEN_EXISTING
Map the key in SQL Server:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=OPEN_EXISTING
Create a credential for Luna EKM Provider:
CREATE CREDENTIAL <Name of credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM partition password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider
Create a login based on the asymmetric key:
CREATE LOGIN <Name of login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot;
Map the credential to the login:
ALTER LOGIN <Name of Login>
ADD CREDENTIAL <Name of credential>;
Enable TDE key rotation:
- Rotate the Database Encryption Key (DEK):
USE tde;
ALTER DATABASE ENCRYPTION KEY
REGENERATE
WITH ALGORITHM = AES_128;
- Rotate the asymmetric key used to encrypt the DEK:
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot;
go
SELECT * FROM sys.dm_database_encryption_keys;
go
Query the status of TDE after rotation:
SELECT DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint;
Migrate TDE from SQL EKM to Luna EKM
To migrate TDE from SQL EKM to Luna EKM, follow these steps:
Create an asymmetric key:
USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_AW',
CREATION_DISPOSITION=CREATE_NEW
SQL Server does not implement FIPS 186-4. For FIPS Mode, generate the key using CMU utility provided with the HSM Client:
cmu generatekeypair -label EKM_RSA_2048_Key_AW -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T
Map the key in SQL Server:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_AW',
CREATION_DISPOSITION=OPEN_EXISTING
Create a credential for Luna EKM Provider:
CREATE CREDENTIAL <Name of credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM partition password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider
Create a login based on the asymmetric key:
CREATE LOGIN <Name of login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW;
Map the credential to the login:
ALTER LOGIN <Name of Login>
ADD CREDENTIAL <Name of credential>;
Migrate TDE from SQL to Luna EKM.
Rotate DEK and migrate to KEK
To rotate the DEK and migrate to KEK created on Luna HSM:
This example uses the AdventureWorks database. Please replace AdventureWorks with your actual database name.
Perform a backup of both the database and transaction logs. Ensure the completion of the backup process, and then proceed to restart the SQL database for the changes to take effect.
Rotate the DEK:
USE AdventureWorks;
ALTER DATABASE ENCRYPTION KEY
REGENERATE
WITH ALGORITHM = AES_256;
Migrate to KEK:
USE AdventureWorks;
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW
Go
SELECT * FROM sys.dm_database_encryption_keys
Go
Migrate to KEK created on Luna HSM without rotating the DEK
To migrate to KEK created on Luna HSM without rotating the DEK:
This example uses the AdventureWorks database. Please replace AdventureWorks with your actual database name.
Back up the database and transaction logs. Restart the SQL database after backup completes.
Migrate to KEK:
USE AdventureWorks;
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_AW;
Go
SELECT * FROM sys.dm_database_encryption_keys
Go
Check the status of TDE after migration:
SELECT DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint
Once the query executes successfully, the screen will display the status of database encryption and its completion percentage. With this, the migration from SQL Server to Luna HSM or Luna Cloud HSM service is now complete.
Use EKM on SQL Server failover cluster
To use EKM on SQL Server failover cluster:
Install failover cluster. Follow the SQL Server documentation for failover cluster installation. Set up shared storage for the SQL Server Cluster, determining the size based on the required number of certificates.
Install the Luna HSM client on both nodes after ensuring the cluster's functionality.
Configure the HSM on both nodes. Register the same partition or Cloud HSM service on both nodes in the SQL Server Cluster.
Install the Luna EKM client on both nodes.
Configure the Luna EKM provider on both nodes.
Open SQL Server Management Studio to register the Luna EKM provider on the first node.
Establish the credential on the first node.
Generate encryption keys using the Luna EKM provider on the first node.
Create a table and encrypt a column with the Luna EKM key on the first node.
Shut down the first node.
Log in to the second node and decrypt the data encrypted on the first node.
Confirm successful decryption of the data on the second node, ensuring EKM with Luna EKM is functioning seamlessly within the SQL Server cluster.
Integrate Luna HSM with SQL Server HA group
To seamlessly integrate Luna HSM with SQL Server in a HA Group, follow these steps:
Create and register Luna EKM Provider
Set up credential for Luna EKM Provider
Create Always On Availability Group
Enable TDE using asymmetric key on Luna HSM
Enable EKM Provider Option
To enable the EKM Provider option on all nodes in the HA configuration, follow these steps:
Launch the SQL Server Management Studio (SSMS) application.
Connect to the SQL Server.
Open a query window, and execute the following commands:
sp_configure 'show advanced', 1;
GO
RECONFIGURE;
GO
sp_configure 'EKM provider enabled', 1;
GO
RECONFIGURE;
GO
Ensure that you are using the Enterprise, Developer, or Evaluation editions of SQL Server. The sp_configure command may not be supported on alternative versions, leading to an error if executed.
Create and register Luna EKM Provider
Follow these steps to set up the Luna EKM provider, install the Luna EKM Software, and register it for use with SQL Server on all nodes in the HA configuration. To create and register the Luna EKM Provider:
Launch the SSMS application.
Establish a connection to the SQL Server instance.
Create the cryptographic provider:
CREATE CRYPTOGRAPHIC PROVIDER <Name of Cryptographic Provider>
FROM FILE = '<Location of Luna EKM Provider Library>'
Replace <Name of Cryptographic Provider> with a unique user-defined name. Ensure to provide the correct location for the Luna EKM Provider Library.
View the list of EKM providers:
SELECT [provider_id], [name], [guid], [version], [dll_path], [is_enabled]
FROM [model].[sys].[cryptographic_providers]
View the provider properties:
SELECT [provider_id], [guid], [provider_version], [sqlcrypt_version], [friendly_name], [authentication_type],
[symmetric_key_support], [symmetric_key_persistance], [symmetric_key_export], [symmetric_key_import],
[asymmetric_key_support], [asymmetric_key_persistance], [asymmetric_key_export], [asymmetric_key_import]
FROM [master].[sys].[dm_cryptographic_provider_properties]
Set up credential for Luna EKM Provider
To set up credential for Luna EKM Provider:
Execute the following command to create the credential:
CREATE CREDENTIAL <Name of Credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM partition password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider;
Replace <Name of Credential> and <Name of EKM User> with user-defined names.
Map the credential to the SQL service account or login:
ALTER LOGIN [Domain\Login Name]
ADD CREDENTIAL <Name of Credential created>;
We recommend using a domain user on all SQL Server nodes. Ensure to reopen the EKM session if the user changes the HSM service, or the client machine is deleted from the service, or the machine suffers a network disconnection.
Create Always On Availability Group
To create Always On Availability Group:
Open Microsoft SQL Server Management Studio on the primary node.
Create a database.
Back up the database to a shared network location accessible by all SQL Server nodes.
Open the Always On Availability Group Creation wizard and follow these steps:
-
Launch the wizard.
-
Specify the name for the Availability Group.
-
Add the participating nodes (primary and secondary) to the Availability Group.
-
Configure the necessary settings, such as failover mode and backups.
Refer to the Microsoft Documentation for detailed instructions on creating the Always On Availability Group.
Create encryption keys for Availability Group database
You can use the Luna EKM provider to create/drop symmetric and asymmetric keys to/from the HSM and can perform encryption/decryption using these keys.
Create symmetric key using the Luna EKM Provider
To create a symmetric key using the Luna EKM Provider:
Open SQL Server Management Studio (SSMS) on the primary node.
Execute the following command in the SQL query window:
USE HSMDB;
Execute the following command to create a symmetric key using the Luna EKM Provider:
CREATE SYMMETRIC KEY SQL_EKM_AES_256_Key
FROM Provider LunaEKMProvider
WITH ALGORITHM = AES_256,
PROVIDER_KEY_NAME = 'EKM_AES_256_Key',
CREATION_DISPOSITION = CREATE_NEW;
After creating the key on Luna HSM, you can reference it by its unique name in SQL Server. For instance, use the name SQL_EKM_AES_256_Key to identify and utilize this key within SQL Server.
View symmetric keys using the Luna EKM Provider
To view symmetric keys using the Luna EKM Provider, execute the following command:
SELECT * FROM [hsmdb].[sys].[symmetric_keys];
Encrypt a database table with symmetric keys
To encrypt a database table with symmetric keys using the Luna EKM Provider:
Create a test table in the HSMDB database with the following fields:
CREATE TABLE test (
id NUMERIC(10),
name VARCHAR(50),
data VARCHAR(MAX)
);
Execute the following command:
INSERT INTO dbo.test
VALUES (1, 'some text', EncryptByKey(Key_GUID('SQL_EKM_AES_256_Key'), 'text to be encrypted'));
Decrypt a database table with symmetric keys using the Luna EKM Provider
To decrypt a database table with symmetric keys using the Luna EKM Provider:
Execute the following command:
SELECT id, name, CONVERT(VARCHAR(MAX), DecryptByKey(data))
FROM dbo.test WHERE id = 1;
Execute the above command on the secondary replica and verify that the output is the same as the primary replica.
Create asymmetric keys on Luna HSM
To generate the asymmetric key using the Luna EKM Provider:
Execute the following command in the SQL query window:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=CREATE_NEW;
SQL Server does not adhere to FIPS 186-4, and consequently, RSA key generation by SQL Server is not supported when the Hardware Security Module (HSM) is in FIPS Mode. Please follow the provided steps for generating an RSA Key when the HSM is in FIPS mode.
When using HSM in FIPS mode, open the command prompt and generate the key using the CMU utility provided with HSM Client:
cmu generatekeypair -label EKM_RSA_2048_Key -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T
Map the key in SQL Server:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key',
CREATION_DISPOSITION=OPEN_EXISTING;
Once a key is created, it can be used or referred to by its name in SQL Server. For example, in the above test case, SQL_EKM_RSA_2048_Key is the unique name of the key in SQL Server, and this key name can be used for encrypt and decrypt operations.
View asymmetric keys using Luna EKM Provider
To view asymmetric keys using the Luna EKM Provider, execute the following command from the SQL query window:
SELECT * FROM [hsmdb].[sys].[asymmetric_keys];
Encrypt a database table with asymmetric keys
To encrypt a database table with asymmetric keys using the Luna EKM Provider, execute the following command from the SQL query window:
INSERT INTO dbo.test
VALUES (2, 'some text', EncryptByAsymKey(AsymKey_Id('SQL_EKM_RSA_2048_Key'), 'text to be encrypted'));
Decrypt a database table with asymmetric keys
To decrypt a database table with asymmetric keys using the Luna EKM Provider:
Execute the following command from the SQL query window:
SELECT id, name, CONVERT(varchar(MAX), DecryptByAsymKey(AsymKey_Id('SQL_EKM_RSA_2048_Key'), data))
FROM dbo.test WHERE id = 2;
Execute the above command on the secondary replica and verify that the output is the same as the primary replica.
Create symmetric key encrypted by asymmetric key on Luna HSM
Enhancing the security of symmetric keys is achieved by encrypting them with an asymmetric key. Follow these steps to create a symmetric key encrypted by an existing asymmetric key:
Launch SQL Server Management Studio (SSMS) on the primary node.
Execute the following command in the SQL query window:
CREATE SYMMETRIC KEY key1
WITH ALGORITHM = AES_256
ENCRYPTION BY Asymmetric Key SQL_EKM_RSA_2048_Key;
Ensure that the specified asymmetric key (SQL_EKM_RSA_2048_Key) is already present in the database before attempting to use it for encrypting a symmetric key. If the specified asymmetric key does not exist, you should create it first before proceeding with the command to create the symmetric key.
Prior to utilizing the key, open it using the command:
OPEN SYMMETRIC KEY key1 DECRYPTION BY Asymmetric Key SQL_EKM_RSA_2048_Key;
If you are using Microsoft SQL Server 2017, apply the recommended patch mentioned in the Troubleshooting Tips section.
Encrypt data utilizing key1.
INSERT INTO dbo.test
VALUES (3, 'some text',
ENCRYPTBYKEY(KEY_GUID('Key1'), 'text to be encrypted'))
Decrypt data with key1.
SELECT id, name, CONVERT(varchar(MAX),
DECRYPTBYKEY(data))
FROM dbo.test
WHERE id = 3
Close the symmetric key.
CLOSE SYMMETRIC KEY key1
Execute steps 3-6 on the secondary replica and verify consistency with the primary replica's output.
Enable TDE using asymmetric key on Luna HSM
In Luna EKM v1.3 and later, enhanced support for creating longer asymmetric keys, specifically RSA_3072 and RSA_4096, has been introduced. However, it's crucial to be aware of a known issue identified during integration testing involving TDE encryption using an RSA_4096 key for the Data Encryption Key (DEK). This issue has been promptly reported to Microsoft technical support. As a precautionary measure, until the matter is resolved, it is advisable to utilize a maximum key length of RSA_3072 when implementing TDE. Any updates or changes will be reflected in the integration guide once the issue is resolved.
Database encryption operations cannot be executed on master, model, tempdb, msdb, or resource databases.
To enable Transparent Data Encryption (TDE) using an asymmetric key stored on a Luna HSM, follow these steps:
Create an asymmetric key on the primary replica:
USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION = CREATE_NEW;
SQL Server does not adhere to FIPS 186-4, and consequently, RSA key generation by SQL Server is not supported when the Hardware Security Module (HSM) is in FIPS Mode. Please follow the provided steps for generating an RSA Key when the HSM is in FIPS mode.
If you are operating the HSM in FIPS mode:
- Execute the following command in the command prompt to generate the key using the CMU utility provided with the HSM Client:
cmu generatekeypair -label EKM_RSA_2048_Key_TDE -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T
- Proceed to map the generated key in SQL Server using the following script:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION=OPEN_EXISTING
Create the same asymmetric key on the secondary replica:
USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE',
CREATION_DISPOSITION = OPEN_EXISTING;
Create a credential for Luna EKM Provider:
CREATE CREDENTIAL <Name_of_credential>
WITH IDENTITY = '<Name_of_EKM_User>', SECRET = '<HSM_partition_password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider;
Create a login based on the asymmetric key:
CREATE LOGIN <Name_of_login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE;
Map the credential to the login:
ALTER LOGIN <Name_of_Login>
ADD CREDENTIAL <Name_of_credential>;
Execute steps 2-5 on all secondary nodes:
It is essential to repeat the procedure for every node in the database. This is necessary because the TDE encryption key, credential, and login are objects residing in the master database and are not automatically replicated when including a node in the Availability Groups.
Create a database encryption key on the primary node:
USE TDE;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE;
Enable TDE:
ALTER DATABASE TDE
SET ENCRYPTION ON;
Query the status of database encryption:
SELECT
DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No DB encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint;
Add an encrypted database to Availability Group
Before integrating your already encrypted database into the Availability Group, ensure you've backed up the encrypted database to a network location accessible by all secondary nodes. Follow these customer-friendly steps to add the encrypted database to the Availability Group:
Launch SMS on the primary node where your encrypted database resides.
Add database to Availability Group (such as, AGroup):
USE master;
ALTER AVAILABILITY GROUP AGroup ADD DATABASE tde;
This command adds the database to the Availability Group, but it's not yet accessible on the secondary node.
Restore the database on the secondary node from the location where you stored the encrypted database. Use the RESTORE WITH NORECOVERY parameter.
Add the database on the secondary node:
USE master;
ALTER DATABASE tde SET HADR AVAILABILITY GROUP = AGroup;
Query the status of database encryption and its completion percentage on the secondary node:
SELECT
DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint;
Rotate keys for TDE
Regularly updating your Transparent Database Encryption (TDE) security keys is essential for maintaining a robust security posture. Follow these steps to rotate your TDE keys seamlessly:
Create an asymmetric key on the primary node:
USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=CREATE_NEW;
SQL Server does not implement FIPS 186-4. If using HSM in FIPS mode:
a. Execute the following command in the command prompt to generate the key using the CMU utility provided with the HSM Client:
cmu generatekeypair -label EKM_RSA_2048_Key_TDE_Rot -modulusBits=2048 -publicExp=65537 -sign=T -verify=T -encrypt=T -decrypt=T
b. Map the key in SQL Server:
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=OPEN_EXISTING;
Create the same asymmetric key on a secondary node:
USE master;
CREATE ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot
FROM Provider LunaEKMProvider
WITH PROVIDER_KEY_NAME = 'EKM_RSA_2048_Key_TDE_Rot',
CREATION_DISPOSITION=OPEN_EXISTING;
Create a credential for Luna EKM Provider:
CREATE CREDENTIAL <Name of Credential>
WITH IDENTITY='<Name of EKM User>', SECRET='<HSM Partition Password>'
FOR CRYPTOGRAPHIC PROVIDER LunaEKMProvider;
Create a login based on the asymmetric key:
CREATE LOGIN <Name of Login>
FROM ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot;
Map the credential to the created login:
ALTER LOGIN <Name of Login>
ADD CREDENTIAL <Name of Credential>;
Repeat Steps 2-5 for All Secondary Nodes.
It is essential to repeat the procedure for every node in the database. This is necessary because the TDE encryption key, credential, and login are objects residing in the master database and are not automatically replicated when including a node in the Availability Groups.
Enable TDE key rotation on the primary replica:
USE tde;
ALTER DATABASE ENCRYPTION KEY
REGENERATE
WITH ALGORITHM = AES_128
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY SQL_EKM_RSA_2048_Key_TDE_Rot;
go
SELECT * FROM sys.dm_database_encryption_keys;
go
Query the status of database encryption and key rotation:
SELECT
DB_NAME(e.database_id) AS DatabaseName,
e.database_id,
e.encryption_state,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc,
c.name,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.asymmetric_keys AS c
ON e.encryptor_thumbprint = c.thumbprint;
Troubleshooting tips
Here are some troubleshooting tips for problems related to SQL Server and cryptographic operations.
Problem 1: Failed to verify Authenticode signature on DLL
Error Message: Failed to verify Authenticode signature on DLL 'C:\Program Files\LunaPCI\EKM\LunaEKM.dll'.
Solution:
Visit http://www.verisign.com/support/roots.html and download all root certificates.
Install the downloaded certificate.
Import the certificate into the Trusted Root Certification Authorities store.
Problem 2: CREATE CRYPTOGRAPHIC PROVIDER fails with error code 1
Error Message: Cannot initialize cryptographic provider. Provider error code: 1. (Failure - Consult EKM Provider for details)
Solution:
Reboot the OS server.
Try to create the cryptographic provider again.
Problem 3: Unable to open symmetric key encrypted by asymmetric key
Error Message: An error occurred during decryption. Msg 15466, Level 16, State 28, Line 1.
Solution:
Download the cumulative update package for SQL Server provided by Microsoft.
Apply the cumulative update to resolve the decryption issue.
The cumulative update package can be found at https://support.microsoft.com/en-us/help/4342123/cumulative-update-10-for-sql-server-2017.
