Microsoft SQL Server 2019 Always Encrypted nShield HSM Integration Guide

- Solutions
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Industry
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. KeyControl for KMIP and Secrets
      Manage all your secrets and encryption keys, including how often you rotate and share them, securely at scale.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    2. nShield Solo
      PCI-Express card-based HSMs.
    3. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology alliance partners.
    Search for a Partner
  - Programs
  - Partner Logins
- Support & Services
  - Contact Support
  - TrustedCare
    Product downloads, technical support, marketing development funds.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - PKI Professional Services
  - Cryptographic Center of Excellence
    Construct best practices and define strategies that work across your unique IT environment.
    Learn More
  - Custom Cryptographic Solutions
    1. Code Signing
    2. HSM Application Integration
  - Product Deployment Services
  - Packaged Services
  - Training
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - 1. Leadership
    2. Blog
    3. Careers
    4. Events
    5. Webinars
    6. Podcasts
    7. News Articles
    8. Press Releases
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Shop
  - Entrust Certificate Services Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Entrust Certificate Services Retail
    Shop for new single certificate purchases.
    Learn More
  - Entrust Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- Search Entrust
  - Search:

Introduction
Install and configure
Generate the encryption keys
Encrypt or decrypt a column with SSMS
Encrypt or decrypt a column with PowerShell
Supported PowerShell SqlServer cmdlets

Introduction

Always Encrypted is a feature in Windows SQL Server 2019 designed to protect sensitive data both at rest and in flight between an on-premises client application server and Azure or SQL Server database(s).

Data protected by Always Encrypted remains in an encrypted state until it has reached the on–premises client application server. This effectively mitigates man-in-the-middle attacks and provides assurances against unauthorized activity from rogue DBAs or admins with access to Azure or SQL server Databases.

The nshield HSM secures the key used to protect the Column Master Key, stored in an encrypted state on the on-premises client application server.

Product configurations

Entrust successfully tested nshield HSM integration with Windows SQL Server 2019 and the Always Encrypted feature in the following configurations:

Remote server

Product	Version
SQL Server	Microsoft SQL Server 2019
Base OS	Windows Server 2019 Datacenter

On-premises client

Product	Version
SQL Server GUI	Microsoft SQL Server Management Studio V18.8
Base OS	Windows 10 Enterprise

Supported nshield features

Entrust successfully tested nshield HSM integration with the following features:

Feature	Support
Module Only Key	Yes
OCS cards	Yes

Supported nshield hardware and software versions

Entrust successfully tested with the following nshield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Module
12.80.4	FIPS 12.50.11	12.60.10	✓	✓
12.80.4	CC 12.50.7	12.50.7	✓	✓

Connect +

Security World Software	Firmware	Image	OCS	Module
12.80.4	FIPS 12.50.8	12.60.10	✓	✓
12.40 Compatibility Package	CC 2.55.4	12.45.1	✓	✓

Role separation

The generation of keys, and the application of these keys for encryption or decryption are separate processes. The processes can be assigned to users with various access permissions, or Duty Roles. The table below shows the processes and duty roles with reference to the Security Administrator and the Database Administrator.

Process	Duty Role
Generating the Column Master Key (CMK) and Column Encryption Key (CEK)	Security Administrator
Applying the CMK and CEK in the database	Database Administrator

Four database permissions are required for Always Encrypted.

Operation	Description
`ALTER ANY COLUMN MASTER KEY`	Required to generate and delete a column master key
`ALTER ANY COLUMN ENCRYPTION KEY`	Required to generate and delete a column encryption key
`VIEW ANY COLUMN MASTER KEY`	Required to access and read the metadata of the column master keys to manage keys or query encrypted columns
`VIEW ANY COLUMN ENCRYPTION KEY`	Required to access and read the metadata of the column encryption key to manage keys or query encrypted columns

Using multiple on-premises client servers

Each client server wanting access to the contents of data encrypted with a given CEK must have access to an HSM in the same Security World and have a copy of the CMK key token stored on its local drive.

Always Encrypted and TDE

The same Security World can be used for Always Encrypted and TDE.

Install and configure

This installation must be performed on the on-premises client computer.

The nshield Security World software will be installed on this computer. This computer will also be made a client of the HSM.

Install the Security World software and create a Security World

Install the Security World software. For instructions, see the Installation Guide and the User Guide for the HSM.
Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the Windows system path.
Open the firewall port 9004 for the HSM connections.
Install the nshield Connect HSM locally, remotely, or remotely via the serial console. See the following nshield Support articles, and the Installation Guide for the HSM:

Open a command window and run the following to confirm that the HSM is operational .

C:\Users\dbuser>enquiry
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        530E-02E0-D947 7724-8509-81E3 09AF-0BE9-53AA 9E10-03E0-D947
 mode                 operational
...
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        530E-02E0-D947
 mode                 operational
 ...

Create your Security World if one does not already exist, or copy an existing one. Follow your organization’s security policy for this.

Confirm that the Security World is usable .

C:\Users\dbuser>nfkminfo
World
 generation  2
 state       0x37270008 Initialised Usable ...
 ...
Module #1
 generation 2
 state      0x2 Usable
 ...

Install and register the CNG provider

Open a command window as administrator and type the following to put the HSM in pre-initialization mode. This operation takes about a minute to complete.

C:\Windows\system32>enquiry -m 1
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        530E-02E0-D947
 mode                 operational
 ...

C:\Windows\system32>nopclearfail -I -m 1
Module 1, command ClearUnitEx: OK

C:\Windows\system32>enquiry -m 1
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        530E-02E0-D947
 mode                 pre-initialization
 ...

Select the Start button to access all applications. Look for the recently installed nshield utilities.
Double-click the CNG configuration wizard and run it as Administrator.
Select Next on the CNG Install welcome screen.
Select Next on the Enable HSM Pool Mode screen. Leave the Enable HSM Pool Mode for CNG Providers check box un-checked.

At the Security World screen, select:

Use the existing security world if you already have a Security World that you intend to use for Always Encrypted. The corresponding world and module_xxxx-xxxx-xxxx files most be present in the %NFAST_KMDATA%\local folder. Be prepared to present the quorum of Administrator cards.

Create a new Security World if you do not currently have a Security World or would like to create a new Security World.

Note	For the purposes of this integration guide we have chosen to use an existing Security World. For instructions on how to create and configure a new Security World, see the Installation Guide and User Guide for your HSM.

Select Next .

The Set Module States pop-up shows the available HSM(s). Select the desired HSM. The state of the selected HMS should be (pre-)initialisation . Select Next .
At the Module Programming Options screen, clear Enable this module as a remote target and select Next . It will take about a minute before the screen changes.

Note
Please be aware that this is not to be confused with the nshield Remote Administration utility.
Insert the first Administrator Card in the HSM, enter the passphrase and select Next . Repeat this step for the other Administrator Cards as required.

Loading or creating the Security World takes about a minute.

Return the HSM to Operational mode. This operation takes about a minute to complete.

C:\Windows\system32>enquiry -m 1
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        530E-02E0-D947
 mode                 initialization
 ...

C:\Windows\system32>nopclearfail -O -m 1
Module 1, command ClearUnitEx: OK

C:\Windows\system32>enquiry -m 1
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        530E-02E0-D947
 mode                 operational
 ...

The module state will change to Usable .

Select Next .

Select Operator Card Set in the Key Protection Setup . Select Next .

Select Next .
Enter the OCS name, K of N values, and check Persistent and Usable remotely as show.

Select Next .
Insert a blank Operator Card in the HSM. On the Insert Next Card screen enter a name to for the OCS card and passphrase.

Select Next .
Select Next and Finish . The nshield CNG providers will now be installed and the key Storage Provider will be registered.

Open a command window as administrator and type the following to confirm the KSP has been successfully registered. Look for nCipher Security World Key Storage Provider .

C:\Windows\system32>cnglist.exe --list-providers
Microsoft Key Protection Provider
Microsoft Passport Key Storage Provider
Microsoft Platform Crypto Provider
Microsoft Primitive Provider
Microsoft Smart Card Key Storage Provider
Microsoft Software Key Storage Provider
Microsoft SSL Protocol Provider
Windows Client Key Protection Provider
nCipher Primitive Provider
nCipher Security World Key Storage Provider

Check the registry in CNGRegistry :
```
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider
```

Install and configure SqlServer PowerShell module

Open a PowerShell session as Administrator and run:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install-PackageProvider Nuget –force –verbose

Update PowerShellGet:

Install-Module –Name PowerShellGet –force –verbose

Download and install the SqlServer module to configure Always Encrypted using Power Shell:
```
Install-Module -Name SqlServer -force -verbose -AllowClobber
```
Note
The -AllowClobber parameter allows you to import the specified commands if it exists in the current session.
Once installed (if you are using PowerShell ISE refresh the Commands pane if you are using PowerShell open a new session), confirm the install by running:
```
Get-Module -list -Name SqlServer
```

You should see something similar to the output below:

Directory: C:\Program Files\WindowsPowerShell\Modules

ModuleType Version    Name          ExportedCommands
---------- -------    ----          ----------------
Manifest   21.0.17152 SqlServer     {Add-SqlColumnEncryptionKeyValue, Complete-SqlColumnMasterKeyRotatio…

Generate the encryption keys

Generate the Always Encrypted Column Master Key (CMK) protected by the nshield HMS

Launch PowerShell on the on-premises client computer as Administrator, and run the Generate_CMK.ps1 script.
```
$cngProviderName = "nCipher Security World Key Storage Provider"

$cngAlgorithmName = "RSA"

$cngKeySize = 2048

$cngKeyName = "AECMK"

$cngProvider = New-Object System.Security.Cryptography.CngProvider($cngProviderName)

$cngKeyParams = New-Object System.Security.Cryptography.CngKeyCreationParameters

$cngKeyParams.provider = $cngProvider

$cngKeyParams.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::OverwriteExistingKey

$keySizeProperty = New-Object System.Security.Cryptography.CngProperty("Length", [System.BitConverter]::GetBytes($cngKeySize), [System.Security.Cryptography.CngPropertyOptions]::None);

$cngKeyParams.Parameters.Add($keySizeProperty)

$cngAlgorithm = New-Object System.Security.Cryptography.CngAlgorithm($cngAlgorithmName)

$cngKey = [System.Security.Cryptography.CngKey]::Create($cngAlgorithm, $cngKeyName, $cngKeyParams)
```
The command line is
```
> PowerShell -ExecutionPolicy Bypass -File Generate_CMK.ps1
```
1. The following pop-window should appear. Select Next .
2. Select the Operator Card Set Protection . Insert the OCS card in the HSM and select Next .
3. Select Next .
4. Select the HSM and select Finish .
5. Enter the OCS passphrase and select Next .
6. Select Finish .
A 2048-bit RSA key pair, called AECMK , has been generated. The key is encrypted in the HSM, and then pushed to the requesting On-Premise Client server, where it is stored as an Application Key Token in the %NFAST_KMDATA%\local folder ( :\ProgramData\nCipher\Key Management Data\local ).

Verify the new key as follows on a command window.

C:\Users\dbuser>nfkminfo -k

Key list - 1 keys
 AppName caping               Ident s-1-5-21-2556418611-2173580918-1658130183-1001--7b7eb65c095c556e5da059480e6ca2ed512dacc1

Display the information about the key by copy-pasting the key name above as follows.

C:\Users\dbuser>nfkminfo -k caping s-1-5-21-2556418611-2173580918-1658130183-1001--7b7eb65c095c556e5da059480e6ca2ed512dacc1
Key AppName caping Ident s-1-5-21-2556418611-2173580918-1658130183-1001--7b7eb65c095c556e5da059480e6ca2ed512dacc1
 BlobKA length         1128
 BlobPubKA length      484
 BlobRecoveryKA length 1496
 name                  "AECMK"
 hash                  76071834044810539e7354f468cc2cae61a448da
 recovery              Enabled
 protection            CardSet
 other flags           PublicKey !SEEAppKey !NVMemBlob +0x0
 cardset               0e8d19801b25d774c3b2bab5a643ec7c20a5255d
 gentime               2021-03-30 19:18:14
 SEE integrity key     NONE

BlobKA
 format                6 Token
 other flags           0x0
 hkm                   2a2e6b22ad6a72673473511d91304efd2f76e197
 hkt                   0e8d19801b25d774c3b2bab5a643ec7c20a5255d
 hkr                   none

BlobRecoveryKA
 format                9 UserKey
 other flags           0x0
 hkm                   none
 hkt                   none
 hkr                   fc4cbd1a6e88c08dd35912d0aecabf47ff1e0c2a

BlobPubKA
 format                5 Module
 other flags           0x0
 hkm                   c2be99fe1c77f1b75d48e2fd2df8dffc0c969bcb
 hkt                   none
 hkr                   none

Extra entry #1
 typecode              0x10000 65536
 length                60
Not a blob

Generate My Column Master Key (MyCMK) and My Column Encryption Key (MyCEK) with SSMS

This key will encrypt all subsequent Column Encryption keys (CEKs) in your database.

Launch Microsoft SQL Server Management Studio on the on-premises client computer.
As the dbuser user, connect to the database on the SQL server on the hosting site.
Using Object Explorer , select the Security directory under the desired Database. Select Always Encrypted Keys to expand it, then select New Column Master Key .
Enter the following information on the Column Master Keys pop-up window, then select Next
1. Enter a name, for example MyCMK .
2. Select Key Storage Provider (CNG) from the Key store drop-down list. This will then present the option to Select a provider .
3. Select nCipher Security World Key Storage Provider from the drop-down list.
4. The AECMK key created in an earlier step appears in Name . Select OK to create a new key using the nshield HSM and CNG KSP.
Notice the newly created MyCMK in the database Security\Always Encrypted Keys\Column Master Keys .
Using Object Explorer , select the Security directory under the desired Database. Select Always Encrypted Keys to expand it, then select New Column MEncryption Key .
Enter Name and select OK .
Present the OCS and select Next .
Select the HSM and select Finish .
Enter the passphrase and select Next .
Select Finish after the OCS card reading completes.
Notice the newly created MyCEK in the database Security\Always Encrypted Keys\Column Encryption Keys .

Generate My Column Master Key (MyCMK) and My Column Encryption Key (MyCEK) with PowerShell

Delete MyCEK and MyCMK created above by right-clicking each key and selecting Delete .

Launch PowerShell on the on-premises client computer and run the Generate_MyCMK_and_MyCEK.ps1 script.

# Import the SqlServer module.
Import-Module SqlServer

# Connect to database.
$ConnectionString = "Data Source=<DB_Server_IP>,49170;Initial Catalog=TestDatabase;User ID=dbuser;Password=<dbuser_Password>;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=True;TrustServerCertificate=True;Packet Size=4096;Application Name=`"Microsoft SQL Server Management Studio`""
$Database = Get-SqlDatabase -ConnectionString $ConnectionString

# Create a SqlColumnMasterKeySettings object for your column master key.
$cmkSettings = New-SqlCngColumnMasterKeySettings -CngProviderName "nCipher Security World Key Storage Provider" -KeyName "AECMK"

# Create column master key metadata in the database.
New-SqlColumnMasterKey -Name "MyCMK" -InputObject $Database -ColumnMasterKeySettings $cmkSettings

# Generate a column encryption key, encrypt it with the column master key and create column encryption key metadata in the database.
New-SqlColumnEncryptionKey -Name "MyCKE" -InputObject $Database -ColumnMasterKey "MyCMK"

The command line is

> PowerShell -ExecutionPolicy Bypass -File Generate_MyCMK_and_MyCEK.ps1

Name
-----
MyCMK
MyCEK

Present the OCS, select the HSM, and enter the passphrase.
Notice the newly created MyCMK in the database Security\Always Encrypted Keys\Column Master Keys .

Encrypt or decrypt a column with SSMS

Encrypt a column

Launch Microsoft SQL Server Management Studio on the on-premises client. Connect with the dbuser account to the database on the SQL server.
Right-click the database, TestDatabase , and select Tasks > Encrypt Columns .
Select Next on the Introduction screen.
Select the column and encryption type on the Column Selection screen and select Next .
Select MyCMK on the Master key Configuration window. Select Next .
Select Proceed to finish now radio button and select Next .
Verify the configuration choices on the Summary screen. Select Next .
Present the OCS that is protecting the CMK and select Finish .
Select the HSM and select Next .
Enter the passphrase, and select Next .
Select Finish .
Select Close .

The column has been encrypted in the SQL server, but it shows as clear text on the Microsoft SQL Server Management Studio GUI on the on-premises client. This is because Always Encrypted is performing the decryption at the on-premises client site.

View an encrypted column

Reconnect to the SQL server with Always Encrypted disabled to view the encrypted data stored in the SQL server.

Connect to the SQL server from the on-premises client, but with the Enable Always Encrypted unchecked.
Right-click dbo.Table , and select Select Top 1000 Rows . The column that was chosen for encryption now appears as ciphertext, that is, as an encrypted value.
Reconnect to the SQL server from the on-premises client, but with the Enable Always Encrypted checked. Be prepared to provide the OCS. Select Next .
Select the HSM. Select Finish .
Enter the passphrase. Select Next .
Select Finish .
Right-click dbo.Table , and select Select Top 1000 Rows . The column that was chosen for encryption is now being decrypted by Always Encrypted with the key protected by the nCipher HSM.
Select Finish .

Remove column encryption

Right-click the required database and in the Tasks menu and select Encrypt Columns .
Select Next on the Introduction screen.
Select Plaintext from the drop down list in the Encryption Type and select Next .
Select Next on the Master Key Configuration window.
Select the Proceed to finish now radio button and select Next .
Select Finish on the Summary window.
Present the OCS and select Next .
Select the HSM and select Finish .
Enter the passphrase and select Next .
Select Finish upon Card reading complete .

The column has been decrypted in the SQL server. To view the plain text data stored SQL server, reconnect to the server with Always Encrypted disabled, see View an encrypted column .

Encrypt or decrypt a column with PowerShell

Encrypt a column

Launch PowerShell on the on-premises client computer and run the following script named Encrypt_Column_Named_Password.ps1.

# Import the SqlServer module.
Import-Module SqlServer

# Connect to database.
$ConnectionString = "Data Source=<DB_Server_IP>,49170;Initial Catalog=TestDatabase;User ID=dbuser;Password=<dbuser_Password>;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=True;TrustServerCertificate=True;Packet Size=4096;Application Name=`"Microsoft SQL Server Management Studio`""
$Database = Get-SqlDatabase -ConnectionString $ConnectionString

# Change encryption schema.
$encryptionChanges = @()

# Add changes for table [dbo].[TestTable]
$encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.TestTable.Password -EncryptionType Randomized -EncryptionKey "MyCEK"
Set-SqlColumnEncryption -ColumnEncryptionSettings $encryptionChanges -InputObject $Database

The command line is

> PowerShell -ExecutionPolicy Bypass -File Encrypt_Column_Named_Password.ps1

Present the OCS, select the HSM, and enter the passphrase.

The column has been encrypted in the SQL server, but it shows as clear text on the Microsoft SQL Server Management Studio screen on the on-premises client. This is because Always Encrypted is performing the decryption at the on-premises client site.

View an encrypted column

Reconnect to the SQL server with Always Encrypted disabled to view the encrypted data stored in the SQL server. See encrypt-decrypt-column-with-ssms.html .

Remove column encryption

Launch PowerShell on the on-premises client computer and run the following script named Decrypt_Column_Named_Password.ps1.

# Import the SqlServer module.
Import-Module SqlServer

# Connect to database.
$ConnectionString = "Data Source=<DB_Server_IP>,49170;Initial Catalog=TestDatabase;User ID=dbuser;Password=<dbuser_Password>;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=True;TrustServerCertificate=True;Packet Size=4096;Application Name=`"Microsoft SQL Server Management Studio`""
$Database = Get-SqlDatabase -ConnectionString $ConnectionString

# Change encryption schema
$encryptionChanges = @()

# Add changes for table [dbo].[TestTable]
$encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.TestTable.Password -EncryptionType Plaintext
Set-SqlColumnEncryption -ColumnEncryptionSettings $encryptionChanges -InputObject $Database

The command line is

> PowerShell -ExecutionPolicy Bypass -File Decrypt_Column_Named_Password.ps1

Present the OCS, select the HSM, and enter the passphrase.

The column has been decrypted in the SQL server. To view the plain text data stored SQL server, reconnect to the server with Always Encrypted disabled, see encrypt-decrypt-column-with-ssms.html .

Supported PowerShell SqlServer cmdlets

PowerShell cmdlet	Description
`Add-SqlColumnEncryptionKeyValue`	Adds a new encrypted value for an existing column encryption key object in the database.
`Complete-SqlColumnMasterKeyRotation`	Completes the rotation of a column master key.
`Get-SqlColumnEncryptionKey`	Returns all column encryption key objects defined in the database, or returns one column encryption key object with the specified name.
`Get-SqlColumnMasterKey`	Returns the column master key objects defined in the database, or returns one column master key object with the specified name.
`Invoke-SqlColumnMasterKeyRotation`	Initiates the rotation of a column master key.
`New-SqlAzureKeyVaultColumnMasterKeySettings`	Creates a `SqlColumnMasterKeySettings` object describing an asymmetric key stored in Azure Key Vault.
`New-SqlCngColumnMasterKeySettings`	Creates a `SqlColumnMasterKeySettings` object describing an asymmetric key stored in a key store supporting the Cryptography Next Generation (CNG) API.
`New-SqlColumnEncryptionKey`	Creates a new column encryption key object in the database.
`New-SqlColumnEncryptionKeyEncryptedValue`	Produces an encrypted value of a column encryption key.
`New-SqlColumnEncryptionSettings`	Creates a new `SqlColumnEncryptionSettings` object that encapsulates information about a single column’s encryption, including CEK and encryption type.
`New-SqlColumnMasterKey`	Creates a new column master key object in the database.
`New-SqlCspColumnMasterKeySettings`	Creates a `SqlColumnMasterKeySettings` object describing an asymmetric key stored in a key store with a Cryptography Service Provider (CSP) supporting Cryptography API (CAPI).
`Remove-SqlColumnEncryptionKey`	Removes the column encryption key object from the database.
`Remove-SqlColumnEncryptionKeyValue`	Removes an encrypted value from an existing column encryption key object in the database.
`Remove-SqlColumnMasterKey`	Removes the column master key object from the database.
`Set-SqlColumnEncryption`	Encrypts, decrypts or re-encrypts specified columns in the database.

The full list of cmdlets and additions to the SqlServer module can be found at https://docs.microsoft.com/en-us/powershell/module/sqlserver/?view=sqlserver-ps .

Table of Contents
Introduction
Install and configure
Generate the encryption keys
Encrypt or decrypt a column with SSMS
Encrypt or decrypt a column with PowerShell
Supported PowerShell SqlServer cmdlets

RESOURCES

Integration Guide
Microsoft SQL Server 2019 Always Encrypted nShield HSM Integration Guide

Table of Contents

Introduction

Product configurations

Remote server

On-premises client

Supported nshield features

Supported nshield hardware and software versions

Connect XC

Connect +

Role separation

Using multiple on-premises client servers

Always Encrypted and TDE

Install and configure

Install the Security World software and create a Security World

Install and register the CNG provider

Install and configure SqlServer PowerShell module

Generate the encryption keys

Generate the Always Encrypted Column Master Key (CMK) protected by the nshield HMS

Generate My Column Master Key (MyCMK) and My Column Encryption Key (MyCEK) with SSMS

Generate My Column Master Key (MyCMK) and My Column Encryption Key (MyCEK) with PowerShell

Encrypt or decrypt a column with SSMS

Encrypt a column

View an encrypted column

Remove column encryption

Encrypt or decrypt a column with PowerShell

Encrypt a column

View an encrypted column

Remove column encryption

Supported PowerShell SqlServer cmdlets