Skip to main content
illustration of man next to database shape

Defend your database

The nShield Database Security Option Pack allows nShield hardware security modules (HSMs) to seamlessly integrate with Microsoft SQL Server. Encrypting the data in your database protects the data, but the encryption keys that unlock the data must also be protected. The use of HSMs safeguards encryption keys by storing them separately from the data on a secure, trusted platform.

Beyond Security

Database Security Option Pack Benefits

database icon
Hardware Key Protection

Store database encryption keys in a secure, tamper-resistant environment to prevent copying or tampering.

user check icon white
User and Role Enforcement

Get stronger control for accessing encrypted data in Microsoft SQL Server.

key icon
Tighter Key Control

Limit access to database encryption keys via smart card authentication for administrators

support icon
Flexible Encryption Support

Both Transparent Data Encryption (TDE) and cell level encryption are supported.

Tech Specs

The SQLEKM provider has been tested to support the Enterprise Editions of:

  • Microsoft SQL Server 2019
  • Microsoft SQL Server 2017

These are supported on the following platforms:

  • Windows Server 2019 R2 Standard (64-bit configuration)
  • Windows Server 2016 (64-bit configuration)

Supported Security World Software and nShield HSMs

The Database Security Option Pack for SQL Server is fully compatible with V12.40.2 or higher of the Security World Software and the following range of nShield HSMs:

  • nShield Solo 500+, 6000+ and Solo XC Base/Mid/High
  • nShield Connect 500+, 1500+, 6000+ and Connect XC Base/Mid/High.

Supported types of Database encryption

From a security perspective, the Microsoft SQL Server supports the use of cryptographic keys to protect its databases. These encryption keys can be used to perform two levels of encryption.

  • Transparent Data Encryption (TDE) is used to encrypt an entire database in a way that does not require changes to existing queries and applications. A database encrypted with TDE is automatically decrypted when SQL Server loads it into memory from disk storage, which means that a client can query the database within the server environment without having to perform any decryption operations. The database is encrypted again when saved to disk storage. When using TDE, data is not protected by encryption while in memory. Only one encryption key at a time per database can be used for TDE.
  • To use Cell-Level Encryption (CLE), you must specify the data to be encrypted and the key(s) with which to encrypt it. CLE uses one or more keys to encrypt individual cells or columns. It gives the ability to apply fine-grained access policies to the most sensitive data in a database. Only the specified data is encrypted: other data remains unencrypted. This mode of encryption can minimize data exposure within the database server and client applications. You can apply CLE to database tables that are also encrypted using TDE. Note that when using CLE, data is only decrypted in memory when required for use. Separate data can be encrypted using different encryption keys within the same data table.

Supported deployment configurations:

  • Stand-alone service
  • Database failover clusters using either nShield Solo or nShield Connect

What our customers are saying...

Square logo
Verifone logo
Memjet logo
Polycom logo


We have a long history together and we’re extremely comfortable continuing to rely on Entrust solutions for the core of our business. We have used Entrust HSMs for five years and they have always been exceptionally reliable. We’ve layered a lot of code on top of the HSM; it delivers the performance we need and has proven to be a rock-solid foundation.

Neal Harris, Security Engineering Manager, Square, Inc


As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected Entrust HSMs to provide robust security, unmatched performance, and superior scalability across our payment security platforms…

Joe Majka, Chief Security Officer, Verifone


The Entrust nShield sales team provided excellent local and remote support during this evaluation period and was invaluable to the process. The excellent depth, breadth, and quality of the product documentation gave us confidence that the solution was well thought-out and supported.

Robert Fairlie-Cuninghame, QAI Technical Lead/Architect, Memjet


Entrust provided the expertise needed to design and implement a tailored, secure VoIP solution.

Marek Dutkiewicz, Polycom