Microsoft SQL Server nShield HSM

- Solutions
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Industry
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. KeyControl for KMIP and Secrets
      Manage all your secrets and encryption keys, including how often you rotate and share them, securely at scale.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    2. nShield Solo
      PCI-Express card-based HSMs.
    3. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology alliance partners.
    Search for a Partner
  - Programs
  - Partner Logins
- Support & Services
  - Contact Support
  - TrustedCare
    Product downloads, technical support, marketing development funds.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - PKI Professional Services
  - Cryptographic Center of Excellence
    Construct best practices and define strategies that work across your unique IT environment.
    Learn More
  - Custom Cryptographic Solutions
    1. Code Signing
    2. HSM Application Integration
  - Product Deployment Services
  - Packaged Services
  - Training
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - 1. Leadership
    2. Blog
    3. Careers
    4. Events
    5. Webinars
    6. Podcasts
    7. News Articles
    8. Press Releases
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Shop
  - Entrust Certificate Services Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Entrust Certificate Services Retail
    Shop for new single certificate purchases.
    Learn More
  - Entrust Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- Search Entrust
  - Search:

Introduction
Setup
Configure TDE
Perform backup and recovery
Column level encryption
- Generate a key
- Column encryption
Upgrade nDSOP

Introduction

This document describes how to integrate Microsoft SQL Server with the nshield Database Security Option Pack (nDSOP V2.1) using an Entrust nshield hardware security module (HSM) as a Root of Trust for storage encryption.

Product configurations

Entrust tested the integration with the following versions:

Product	Version
Base OS	Windows Server 2019 Datacenter
SQL Server	Microsoft 2016 Enterprise Microsoft 2019 Enterprise
Microsoft SQL Server Management Studio	v18.8

Product

Version

Base OS

Windows Server 2019 Datacenter

SQL Server

Microsoft 2016 Enterprise

Microsoft 2019 Enterprise

Microsoft SQL Server Management Studio

v18.8

Supported nshield hardware and software versions

Entrust tested the integration with the following nshield HSM hardware and software versions, and SQLEKM provider:

Product	Security World	Firmware	Netimage
Connect XC	12.60.11	FIPS 12.50.11	12.60.10

Supported nshield SQLEKM provider:

Product	Version
nDSOP	2.1

Supported nshield functionality

Functionality	Support
FIPS 140-2 Level 3	Yes
Key Management	Yes
Key Generation	Yes
Key Recovery	Yes
1 of N Card Set	Yes
Softcards	Yes
Module Only Key	No
Fail Over	Yes
Load Balancing	Yes
nSaaS	Yes

Requirements

Familiarize yourself with:

The Microsoft SQL Server features and documentation.
The Microsoft SQL Server Management Studio features and documentation.
The T-SQL language. You should be able to perform basic SQL tasks such as creating a database or tables.
Database security concepts and practices.
The documentation for the HSM.

Setup

Prerequisites:

A Windows Server with Microsoft SQL server.
SQL Server Management Studio installed.
The database TestDatabase has been created and is available for the integration.

Install the Security World software and create a Security World

Install the Security World software by double-clicking on the SecWorld_Windows-xx.xx.xx.iso file. For detailed instructions, see the Installation Guide and the User Guide for the HSM available from the installation disc.
Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the Windows system path.
Open the firewall port 9004 for the HSM connections.
Install the nshield Connect HSM locally, remotely, or remotely via the serial console. See the following nshield Support articles, and the Installation Guide for the HSM:

Open a command window and run the following to confirm that the HSM is operational .

C:\Users\dbuser>enquiry
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        530E-02E0-D947 7724-8509-81E3 09AF-0BE9-53AA 9E10-03E0-D947
 mode                 operational
...
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        530E-02E0-D947
 mode                 operational
 ...

Create your Security World if one does not already exist, or copy an existing one. Follow your organization’s security policy for this. Create extra ACS cards as spares in case of a card failure or lost. These cannot be duplicated after the Security World is created.

Confirm that the Security World is usable .

C:\Users\dbuser>nfkminfo
World
 generation  2
 state       0x37270008 Initialised Usable ...
 ...
Module #1
 generation 2
 state      0x2 Usable
 ...

Install the nshield nDSOP

Mount the nDSOP_Windows-x.x.x.iso file.
Double-click the setup file and follow the instructions.

Create the Operator Card Set (OCS) or Softcard

The OCS or Softcard and associated passphrase will be used to authorize access to specific keys protected by the SQLEKM provider. Typically, one or the other will be used, rarely both.

Create the OCS

A SQL Server credential (as used for EKM) maps one protecting token to one stored passphrase. It can store information for only one token at a time. An OCS does have a quorum. But a quorum greater than one cannot be directly supported by the SQL Server, neither can different passphrases for each card in an OCS. Therefore, use an OCS quorum of one.

Recovering from a power failure requires the OCS to be inserted in the HSM itself regardless. Do not use OCS with a TVD if you want automatic recovery unless you come up with a work-around.

Ensure the C:\ProgramData\nCipher\Key Management Data\config\cardlist file contains the serial number of the card(s) to be presented, or the wildcard value.
Open a command window as administrator.
Execute the following command. Enter a passphrase or password at the prompt. Follow your organization’s security policy for this for the values K/N, where K=1 as mentioned above. Use the same passphrase for all the OCS cards in the card set (one for each person with access privilege, plus the spares). After an OCS card set has been created, the cards cannot be duplicated. Notice that slot 2 , remote via a Trusted Verification Device (TVD), is used to present the card.
```
>>createocs -m1 -s2 -N nDSOPocs -Q 1/1

FIPS 140-2 level 3 auth obtained.

Creating Cardset:
 Module 1: 0 cards of 1 written
 Module 1 slot 0: Admin Card #1
 Module 1 slot 2: blank card
 Module 1 slot 3: empty
 Module 1 slot 2:- passphrase specified - writing card
Card writing complete.

cardset created; hkltu = 6c9c2b7c32fb884a531e08f7a37edc3924fb5e76
```
Add the -p (persistent) option to the command above to be able to encrypt/decrypt the database after the OCS card has been removed from the HSM front panel slot, or from the TVD. The authentication provided by the OCS as shown in the command line above is non-persistent and only available while the OCS card is inserted in the HSM front panel slot, or the TVD.

Verify the OCS created.

>nfkminfo -c
Cardset list - 1 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
 Operator logical token hash               k/n timeout  name
 6c9c2b7c32fb884a531e08f7a37edc3924fb5e76  1/1  none-NL nDSOPocs

Create the Softcard

A SQL Server credential (as used for EKM) maps one protecting token to one stored passphrase. Softcards are singular and do not have a quorum, so the SQL Server credential matches them quite well.

Recovering from a power failure with Softcard does not requires smart cards.

Ensure the C:\Program Files\nCipher\nfast\cknfastrc file exists with the following content. Otherwise, create it.
```
> type "C:\Program Files\nCipher\nfast\cknfastrc"
CKNFAST_LOADSHARING=1
```

Execute the following command. Enter a passphrase or password at the prompt.

>>ppmk -n nDSOPsoftcard

Enter new pass phrase:
Enter new pass phrase again:
New softcard created: HKLTU 629a3a902eec139fb5136afec7b0f0801f45b60d

Verify the Softcard created.

>nfkminfo -s
SoftCard summary - 1 softcards:
 Operator logical token hash               name
 629a3a902eec139fb5136afec7b0f0801f45b60d  nDSOPsoftcard

The rocs utility shows the OCS and Softcard created.

>rocs
`rocs' key recovery tool
Useful commands: `help', `help intro', `quit'.
rocs> list cardset
No. Name                     Keys (recov) Sharing
  1 nDSOPocs                 1 (1)        1 of 1
  2 nDSOPsoftcard            0 (0)        (softcard)
rocs> quit

Enable EKM and register the SQLEKM provider

Launch the SQL Server Management Studio GUI.
Enable EKM by executing the following query:
```
sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO
```

CREATE CRYPTOGRAPHIC PROVIDER nDSOP
    FROM FILE = 'C:\Program Files\nCipher\nfast\bin\ncsqlekm.dll'

Check the SQLEKM provider is listed in the SQL Server Management Studio GUI. Go to Security > Cryptographic Providers . You should see nDSOP . Right-click it to verify that it is enabled.

Verify the SQLEKM provider configuration

Run the following query.
```
SELECT * FROM sys.cryptographic_providers;
```
Verify the following:
- The version matched that of the nDSOP installation iso .
- Path to dll is correct.
- is_enabled column set to 1 .
Run the following query.
```
SELECT * FROM sys.dm_cryptographic_provider_properties;
```
Verify the following:

Column Value

friendly_name

nCipher SQLEKM Provider

authentication_type

BASIC

symmetric_key_support

1

asymmetric_key_support

1
Verify the supported cryptographic algorithms can be queried by running the following query:
```
DECLARE @ProviderId int;
SET @ProviderId = (SELECT TOP(1) provider_id FROM sys.dm_cryptographic_provider_properties
WHERE friendly_name LIKE 'nCipher SQLEKM Provider');
SELECT * FROM sys.dm_cryptographic_provider_algorithms(@ProviderId);
GO
```
Notice each key type has its set of valid algorithms.

Key Type Algorithm

Symmetric

AES_128, AES_192, ASE_256

Asymmetric

RSA_2048, RSA_3072, RSA_4096

Column	Value
friendly_name	nCipher SQLEKM Provider
authentication_type	BASIC
symmetric_key_support	1
asymmetric_key_support	1

Key Type	Algorithm
Symmetric	AES_128, AES_192, ASE_256
Asymmetric	RSA_2048, RSA_3072, RSA_4096

Create the user SQL Server credential

Verify the OCS or Softcard created above.

>nfkminfo -c
Cardset list - 1 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
 Operator logical token hash               k/n timeout  name
 6c9c2b7c32fb884a531e08f7a37edc3924fb5e76  1/1  none-NL nDSOPocs

>nfkminfo -s
SoftCard summary - 1 softcards:
 Operator logical token hash               name
 629a3a902eec139fb5136afec7b0f0801f45b60d  nDSOPsoftcard

Navigate to Security > Credentials in SQL Server Management Studio.
Right-click Credentials , then select New Credential .
Enter the credential name, and the OCS card name and passphrase. Check Use Encryption Provider and select nDSOP . Select OK .
Verify the new credential in Security > Credentials . May need to right-click and select Refresh .
Navigate to Security > Logins . Right-click the login used to access the TestDatabase and select Properties .
Check Map to Credentials in the dialog. Select the server credential created above in the drop-down to the right. Then select Add , and select OK .

Configure TDE

The TDE Database Encryption Key (TDEDEK) is a symmetric key that is used to perform the actual encryption of the database. It is unique to a given database. It is created by SQL Server and cannot be exported from the database, meaning it cannot be created or directly protected by the SQLEKM provider (nshield HSM).

The TDEDEK is protected within the database by encrypting it with a wrapping key. The wrapping key is called the TDE Key Encryption Key (TDEKEK), an asymmetric key protected by the SQLEKM provider in the nshield HSM. It is possible to have a single TDEKEK for multiple databases, or different TDEKEKs for different databases.

The TDEKEK must be created under the tdeLogin/tdeCredential. However, the current user does not have to use the tdeCredential, so long as the user credential is using the same OCS or Softcard as the tdeCredential.

Create a TDEKEK

The TDEKEK is created in the master database.

Insert the OCS in the HSM slot or TVD. No action is needed if you are using Softcard protection.
Run the following query.
```
USE master;
CREATE ASYMMETRIC KEY "<name_of_key_in_database>"
FROM PROVIDER "<SQLEKM_provider>"
WITH
PROVIDER_KEY_NAME = '<name_of_key_in_SQLEKM_provider>',
CREATION_DISPOSITION = CREATE_NEW,
ALGORITHM = <asymmetric_algorithm_desc>;
GO
```
name_of_key_in_database

The name you want to give the key in the database.

name_of_key_in_SQLEKM_provider

The name you want to give the key in the SQLEKM provider.

asymmetric_algorithm_desc
A valid asymmetric key algorithm descriptor. See Verify the SQLEKM provider configuration .

Example:
USE master; CREATE ASYMMETRIC KEY "AsymTestWrappingKeyDatabase" FROM PROVIDER "nDSOP" WITH PROVIDER_KEY_NAME = 'AsymTestWrappingKeySQLEKM', CREATION_DISPOSITION = CREATE_NEW, ALGORITHM = RSA_2048; GO
Notice the newly created key highlighted in the object explorer.

The key generated can also be verified by a CLI command.

>nfkminfo -l

Keys protected by cardsets:
key_simple_sqlekm-6c9c2b7c32fb884a531e08f7a37edc3924fb5e76-67703babb0c40915c62f6afe4c49c741c414e24b 'AsymTestWrappingKeySQLEKM'

The rocs utility shows the names and protection methods of the keys.

>rocs
'rocs' key recovery tool
Useful commands: 'help', 'help intro', 'quit'.
rocs> list keys
  No. Name                     App        Protected by
    1 AsymmetricTestKeySQLEKM  simple     nDSOPocs
rocs> quit

Create a TDE login and credential

A tdeLogin and tdeCredential allows an ordinary database user, who is fully authorized to use the database, but has no SQLEKM credentials of their own, to perform query operations using a TDE encrypted database. Without the tdeLogin and tdeCredential, then every user would need their own credentials. It is beyond the scope of this document to provide an example of how to use these credentials, only on how to create them.

Create a TDE credential

In SQL Server Management Studio, navigate to Security > Credentials .
Right-click Credentials , then select New Credential .
Enter the Credential name .
Enter the Identity as the name of the OCS or Softcard created above.
Enter the Password as the passphrase on the OCS or Softcard.
Select Use Encryption Provider . Select the provider. Then select OK .
Notice the credential created.

Create the TDE login

In SQL Server Management Studio, navigate to Security > Logins .
Right-click Logins , then select New Login .
Enter the Login name .
Select Mapped to asymmetric key . Then select the asymmetric key that you created earlier.
Select Map to Credential . Then select the TDE credential created earlier. Then select Add .
Select OK .
Notice the login created.

Create the TDEDEK and switch on encryption

In SQL Server Management Studio, navigate to Databases > TestDatabase .
Right-click TestDatabase, then select Tasks > Manage Database Encryption .
Set Encryption Algorithm to AES 256 or your choice.
Select Use server asymmetric key . Then select the asymmetric key that you have created earlier.
Select Set Database Encryption On . Then select OK . Restart the Microsoft SQL Server Management Studio and repeat these steps if it fails.

Run the following query to verify the encryption state.

/****** Script for SelectTopNRows command from SSMS  ******/
SELECT DB_NAME(e.database_id) AS DatabaseName, e.database_id, e.encryption_state, CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc, c.name, e.percent_complete FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint

The following table shows the value returned for encryption state and the meaning.

Encryption state	Meaning
0	Encryption disabled (or no encryption key)
1	Unencrypted or Decrypted
2	Unencrypted or Decrypted
3	Encrypted
4	Key change in progress
5	Decryption in progress
6	Protection change in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed)

Turn off encryption of by clearing Set Database Encryption On in the steps above.

Key rotation - Replace the TDEKEK

This is the wrapping key called TDE Key Encryption Key, an asymmetric key protected by the SQLEKM provider in the nshield HSM.

Follow the procedure in Create a TDEKEK to create a new asymmetric TDEKEK. Give it a new name.

Example:

USE master;
CREATE ASYMMETRIC KEY "AsymTestWrappingKeyDatabase2"
FROM PROVIDER "nDSOP"
WITH
PROVIDER_KEY_NAME = 'AsymTestWrappingKeySQLEKM2',
CREATION_DISPOSITION = CREATE_NEW,
ALGORITHM = RSA_2048;
GO

In SQL Server Management Studio, navigate to Databases > TestDatabase .
Right-click TestDatabase, then select Tasks > Manage Database Encryption .
Select Re-Encrypt Database Encryption Key and Use server asymmetric . Select newly created asymmetric key AsymTestWrappingKeyDatabase2 .
Unselect Regenerate Database Encryption Key .
Select Set Database Encryption On . Select OK .

Key rotation - Replace the TDEDEK

This is the key called TDE Database Encryption Key, a symmetric used to perform the actual encryption of the database. It is created by SQL Server and cannot be exported from the database. It is protected within the database by encrypting it with a wrapping key TDEKEK.

In SQL Server Management Studio, navigate to Databases > TestDatabase .
Right-click TestDatabase, then select Tasks > Manage Database Encryption .
Unselect Re-Encrypt Database Encryption Key .
Select Regenerate Database Encryption Key . Then select AES 256 .
Select Set Database Encryption On . Then select OK .
Verify the encryption state as shown in Create the TDEDEK and switch on encryption .

Perform backup and recovery

An encrypted database and Security World are associated with each other. Both need a backup.

Back up the Security World

The Security World data is inherently encrypted and does not require any further encryption operation to protect it. It can only be used by someone who has access to a quorum of the correct ACS cards, or the OCS card, Softcard, their passphrases, an nshield HSM and nshield Security World Software. Therefore, backup simply consists of making a copy of the Security World files and saving the copy in a safe location, as necessary to restore the keys used by the database.

Back up C\:ProgramData\nCipher\Key Management Data .
Securely store and keep a record of ACS and OCS cards associated with each Security World, preferable using the serial number on the cards.
The Softcard, used instead of OCS, resides in the Key Management Data folder. It is backed up when you back up C\:ProgramData\nCipher\Key Management Data .
Keep a record of which database and which Security World backups correspond to each other.

Restore the Security World

Restoring a Security World simply means restoring a backup copy of the Security World folder C\:ProgramData\nCipher\Key Management Data .

The ACS is required if the Security World you are restoring is not already loaded onto your HSM. See the Installation Guide and the User Guide for the HSM. A short version is available at https://nshieldsupport.entrust.com/hc/en-us/articles/360021378272-How-To-Locally-Set-up-a-new-or-replacement-nShield-Connect .

Back up the database

Create the backup devices by running the following query:

-- Encrypted Backup
USE master;
GO

--Provide backup device and locations
EXEC sp_addumpdevice 'disk', 'EncryptedTestDatabaseBackup',
'C:\Program Files\Microsoft SQL Server\MSSQL15.INTEROPDATABASE\MSSQL\Backup\TestDatabaseEncrypted.bak';
GO

EXEC sp_addumpdevice 'disk', 'EncryptedTestDatabaseBackupLog',
'C:\Program Files\Microsoft SQL Server\MSSQL15.INTEROPDATABASE\MSSQL\Backup\TestDatabaseEncryptedLog.bak';
GO

Notice the devices created.

Create the backup by running the following query:

-- Encrypted Backup
USE master;
GO

ALTER DATABASE TestDatabase
SET RECOVERY FULL;
GO

-- Back up the encrypted database
BACKUP DATABASE TestDatabase TO EncryptedTestDatabaseBackup;
GO

-- Back up the encrypted log
BACKUP LOG TestDatabase TO EncryptedTestDatabaseBackupLog;
GO

Notice the backup files created.

C:\Program Files\Microsoft SQL Server\MSSQL15.INTEROPDATABASE\MSSQL\Backup>dir
 Volume in drive C has no label.
 Volume Serial Number is 2E72-65D9

 Directory of C:\Program Files\Microsoft SQL Server\MSSQL15.INTEROPDATABASE\MSSQL\Backup

07/15/2021  04:15 PM    <DIR>          .
07/15/2021  04:15 PM    <DIR>          ..
07/15/2021  04:15 PM         3,760,640 TestDatabaseEncrypted.bak
07/15/2021  04:15 PM            86,528 TestDatabaseEncryptedLog.bak
               2 File(s)      3,847,168 bytes
               2 Dir(s)   6,057,644,032 bytes free

If the database is encrypted, the backup will also be encrypted. If the database is not encrypted, then the backup will not be encrypted. If you want to create an encrypted backup from a non-encrypted database, you will have to create the non-encrypted backup file, and then encrypt the file using an independent encryption tool.

Restore the database

Restore a TDE encrypted database in a similar manner as an un-encrypted database. But for TDE encrypted database the Security World needs to be restored before restoring the encrypted database. The OCS, if used, needs to be inserted in the HSM before restoring the encrypted database. Otherwise the restored database will come up as (Restore Pending) .

Install the Security World software and the nshield nDSOP if rebuilding the server. Do not create a Security World.
Restore the Security World.
Insert the OCS in the HSM front panel slot, or the TVD if using OCS protection.
Enable EKM and register the SQLEKM provider if rebuilding the server.
Create the SQL Server credential if rebuilding the server. The OCS and Softcard are in the restored Security World.
Verify the SQLEKM provider configuration if rebuilding the server.
The database wrapping key (TDEKEK) should already exist in the restored Security World. Import it into the master database by running the following query:
```
USE master;
GO

-- Import TDEKEK2
CREATE ASYMMETRIC KEY "AsymTestWrappingKeyDatabase2"
FROM PROVIDER "nDSOP"
WITH
PROVIDER_KEY_NAME = 'AsymTestWrappingKeySQLEKM2',
CREATION_DISPOSITION = OPEN_EXISTING;
GO
```

Recreate the TDE logins and credentials by running the following query. Notice the name of the OCS ( nDSOPocs ), and Softcard ([.gui] nDSOPsoftcard ) created earlier.

OCS:

USE master;
GO

-- tdeLogin and tcdCredential
CREATE LOGIN tdeLogin FROM ASYMMETRIC KEY AsymTestWrappingKeyDatabase2;
CREATE CREDENTIAL tdeCredential WITH IDENTITY = 'nDSOPocs', SECRET = 'ncipher'
FOR CRYPTOGRAPHIC PROVIDER nDSOP;
ALTER LOGIN tdeLogin ADD CREDENTIAL tdeCredential;
GO

Softcard:

USE master;
GO

-- tdeLogin and tdeCredential
CREATE LOGIN tdeLogin FROM ASYMMETRIC KEY AsymTestWrappingKeyDatabase2;
CREATE CREDENTIAL tdeCredential WITH IDENTITY = 'nDSOPsoftcard', SECRET = 'ncipher'
FOR CRYPTOGRAPHIC PROVIDER nDSOP;
ALTER LOGIN tdeLogin ADD CREDENTIAL tdeCredential;
GO

Restore the database by running the following query:
```
USE master
ALTER DATABASE TestDatabase SET SINGLE_USER WITH ROLLBACK IMMEDIATE
RESTORE DATABASE [TestDatabase] FROM  DISK = 'C:\Program Files\Microsoft SQL Server\MSSQL15.INTEROPDATABASE\MSSQL\Backup\TestDatabaseEncrypted.bak'
WITH REPLACE
GO
```
Return to multiple user mode by running the following script.
```
USE master;
ALTER DATABASE TestDatabase SET
MULTI_USER;
GO
```

Column level encryption

Table Column data can be protected by an Entrust HSM protected key. These nDSOP EKM keys are generated within the SQL Server database and can encrypt/decrypt data in a column.

Generate a key

Insert the OCS in the HSM slot or TVD. No action is needed if you are using Softcard protection.

To create an asymmetric key, run the following query:

USE master;
CREATE ASYMMETRIC KEY "<name_of_key_in_database>"
FROM PROVIDER "<SQLEKM_provider>"
WITH
PROVIDER_KEY_NAME = '<name_of_key_in_SQLEKM_provider>',
CREATION_DISPOSITION = CREATE_NEW,
ALGORITHM = <asymmetric_algorithm_desc>;
GO

Where:

name_of_key_in_database	The name you want to give the key in the database. For example, AsymKey .
SQLEKM_provider	The SQLEKM provider. For example, nDSOP .
name_of_key_in_SQLEKM_provider	The name you want to give the key in the SQLEKM provider. For example, AsymKey .
asymmetric_algorithm_desc	A valid asymmetric key algorithm descriptor. For example, RSA_2048 . See Verify the SQLEKM provider configuration .

To create a symmetric key, run the following query:

USE master;
CREATE SYMMETRIC KEY "SymKey"
FROM PROVIDER "nDSOP"
WITH
PROVIDER_KEY_NAME = 'SymKey',
CREATION_DISPOSITION = CREATE_NEW,
ALGORITHM = AES_256;
GO

To import an existing nDSOP EKM protected key into the SQL Server, run the following query:

CREATE SYMMETRIC KEY "ExistingSymKey"
FROM PROVIDER "nDSOP"
WITH
PROVIDER_KEY_NAME = 'ExistingSymKey',
CREATION_DISPOSITION=OPEN_EXISTING
GO

Verify the key:

>nfkminfo -l

Keys protected by cardsets:
 key_simple_sqlekm-f82cca5299d7f8df581154de03b736998fd59f89-5d272ab1d5d69ab1300209ea5d0d1c50f59fafa4 'SymKey'

Column encryption

Create a table:

USE master;
CREATE TABLE testdb (
employee_name varchar (255) NOT NULL,
employee_secret varbinary (MAX) NOT NULL
)
GO

Insert a row into the table. The data within the second column is encrypted using the previously created key. For example:
```
INSERT INTO testdb
VALUES ('Employee Name', ENCRYPTBYKEY(KEY_GUID('SymKey'), 'Employee Password'))
```

Run the following to decrypt the values of the column:

SELECT CONVERT(varchar, DECRYPTBYKEY(employee_secret)) employee_secret FROM testdb

Asymmetric encryption and decryption examples:

INSERT INTO testdb
VALUES ('Employee Name', ENCRYPTBYASYMKEY(ASYMKEY_ID('AsymKey'), 'Secret Value'))

SELECT CONVERT(varchar, DECRYPTBYASYMKEY(ASYMKEY_ID('AsymKey'), employee_secret)) employee_secret FROM testdb

Upgrade nDSOP

This section will perform the migration of the Entrust Database Security Option Pack (nDSOP).

From Version	To Version
v1.0	v2.1

Product configurations

Product	Version
Base OS	Windows Server 2016 Datacenter
SQL Server	Microsoft 2016 Enterprise with Service Pack 2
Microsoft SQL Server Management Studio	v18.8

Supported nshield hardware and software versions

Product	Security World	Firmware	Netimage
Connect XC	12.60.11 with v2 Compatibility Package	FIPS 12.50.11	12.60.10

Procedure

The following procedure will be performed on a Windows Server 2016 with Microsoft SQL Server 2106, and nDSOP v1.0. A database called TestDatabase has been created and encrypted, and will be used in this procedure.

Backup the Security World.
Backup the database.

Run the following query to verify the encryption state.

/****** Script for SelectTopNRows command from SSMS  ******/
SELECT DB_NAME(e.database_id) AS DatabaseName, e.database_id, e.encryption_state, CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc, c.name, e.percent_complete FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint

Disable the EKM provider. Select Security Cryptographic Providers . Right-click on the provider and select Disable .
Restart the SQL Server from the Windows MSSMS or services.
Wait for 60 seconds after the restart. Then check the database status. Notice Recovery Pending next to TestDatabase .
Un-install nDSOP v1.01 EKM provider using the Windows Control Panel > Programs > Programs and Features .
Install nDSOP v2.1 EKM provider by mounting the .iso file and double-clicking setup .
Insert the OCS in the HSM slot or TVD. No action is needed if you are using Softcard protection.

Retarget the keys by running the sqlekm_retarget_keys command.

C:\Users\Administrator>nfkminfo -k

Key list - 2 keys
 AppName pkcs11               Ident uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-56ac051fb249f91e641b065dc12fec8a9fea2419
 AppName pkcs11               Ident uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-c88b06f02bdca29f2a98b9c9352daf9191fc8afd

C:\Users\Administrator>sqlekm_retarget_keys --all
Found 2 keys to retarget
Retargetted: key_pkcs11_uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-c88b06f02bdca29f2a98b9c9352daf9191fc8afd
Retargetted: key_pkcs11_uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-56ac051fb249f91e641b065dc12fec8a9fea2419

C:\Users\Administrator>nfkminfo -k

Key list - 4 keys
 AppName pkcs11               Ident uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-56ac051fb249f91e641b065dc12fec8a9fea2419
 AppName pkcs11               Ident uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-c88b06f02bdca29f2a98b9c9352daf9191fc8afd
 AppName simple               Ident sqlekm-79dfaf7c3311d22d240a7257e5e760ede89fbc70-b1844c5bb4eadbdb1166dcdb64f4c5d59e4e408c
 AppName simple               Ident sqlekm-79dfaf7c3311d22d240a7257e5e760ede89fbc70-fa9380a3e111df122b0e02dd37c1233da89b8e16

Open the C:\ProgramData\nCipher\Key Management Data\local folder. Move all pkcs11 keys to another folder. Leave the simple keys in the current folder.

C:\ProgramData\nCipher\Key Management Data>mkdir local_pcks11_keys

C:\ProgramData\nCipher\Key Management Data>move local\key_pkcs11* local_pcks11_keys\.
C:\ProgramData\nCipher\Key Management Data\local\key_pkcs11_uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-56ac051fb249f91e641b065dc12fec8a9fea2419
C:\ProgramData\nCipher\Key Management Data\local\key_pkcs11_uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-c88b06f02bdca29f2a98b9c9352daf9191fc8afd
        2 file(s) moved.

C:\ProgramData\nCipher\Key Management Data>nfkminfo -k

Key list - 2 keys
 AppName simple               Ident sqlekm-79dfaf7c3311d22d240a7257e5e760ede89fbc70-b1844c5bb4eadbdb1166dcdb64f4c5d59e4e408c
 AppName simple               Ident sqlekm-79dfaf7c3311d22d240a7257e5e760ede89fbc70-fa9380a3e111df122b0e02dd37c1233da89b8e16

Set the new provider by running he following script.

--ChangeToNewProvider.sql

ALTER CRYPTOGRAPHIC PROVIDER nDSOP
FROM FILE = 'C:\Program Files\nCipher\nfast\bin\ncsqlekm.dll';
GO

Enable the EKM provider. Select Security > Cryptographic Providers . Right-click the provider and select Enable .
Verify the new EKM provider version by running the following script. Notice the provider_version .
```
SELECT * FROM sys.dm_cryptographic_provider_properties;
```
Restart the SQL Server from the Windows MSSMS or services. Wait for 60 seconds after the restart.
Check and refresh database status. Notice the Recovery Pending message next to the TestDatabase goes away.

Verify the encryption state by running the following script. Notice the encryption_state_desc shown as Encrypted .

/****** Script for SelectTopNRows command from SSMS  ******/
SELECT DB_NAME(e.database_id) AS DatabaseName, e.database_id, e.encryption_state, CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc, c.name, e.percent_complete FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint

Table of Contents
Introduction
Setup
Configure TDE
Perform backup and recovery
Column level encryption
Upgrade nDSOP

RESOURCES

Integration Guide
Microsoft SQL Server nShield HSM Integration Guide
Web Page
nShield® Database Security Option Pack Integration with Microsoft SQL Server

Table of Contents

Introduction

Product configurations

Supported nshield hardware and software versions

Supported nshield functionality

Requirements

Setup

Install the Security World software and create a Security World

Install the nshield nDSOP

Create the Operator Card Set (OCS) or Softcard

Create the OCS

Create the Softcard

Enable EKM and register the SQLEKM provider

Verify the SQLEKM provider configuration

Create the user SQL Server credential

Configure TDE

Create a TDEKEK

Create a TDE login and credential

Create a TDE credential

Create the TDE login

Create the TDEDEK and switch on encryption

Key rotation - Replace the TDEKEK

Key rotation - Replace the TDEDEK

Perform backup and recovery

Back up the Security World

Restore the Security World

Back up the database

Restore the database

Column level encryption

Generate a key

Column encryption

Upgrade nDSOP

Product configurations

Supported nshield hardware and software versions

Procedure