SQL 2019 TDE with external HSM

Jacy chua 116 Reputation points
2021-11-17T12:47:22.173+00:00

Hi all, need some advice on which steps does a HSM comes into the picture when implementing TDE on SQL Server.

Create a master key -> is it here?
Create or obtain a certificate protected by master key -> or Is it here?
Create a database key and protect it by the certificate.
Set the database you want to protect to use the encryption.

Question then comes after what happens when we change a HSM in a situation if HSM is compromised? Does it mean we will need to re-create a new master key or the certificate and then re-encrypt the database?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,469 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmeliaGu-MSFT 13,991 Reputation points Microsoft Vendor
    2021-11-18T07:00:49.363+00:00

    Hi Jacychua-2742,

    When you enable TDE on your SQL Server database, the database generates a symmetric encryption key and protects it using the EKM Provider from your external key manager vendor. The EKM Provider sends the symmetric key to the key server where it is encrypted with an asymmetric key. The encrypted database key is then stored locally on disk in the SQL Server.
    If the asymmetric key stored in the EKM module is lost, we have to restore the key from the HSM device to decrypt the database files either backup or data files so we can bring it online.
    Please refer to Enable TDE on SQL Server Using EKM and TDE, EKM and the Asymmetric Key which might be
    helpful.

    Best Regards,
    Amelia


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Tom Phillips 17,741 Reputation points
    2021-11-17T14:38:45.637+00:00

  2. Jacy chua 116 Reputation points
    2021-11-18T12:15:02.28+00:00

    thank you! that makes it much clearer!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.