Hi Jacychua-2742,
When you enable TDE on your SQL Server database, the database generates a symmetric encryption key and protects it using the EKM Provider from your external key manager vendor. The EKM Provider sends the symmetric key to the key server where it is encrypted with an asymmetric key. The encrypted database key is then stored locally on disk in the SQL Server.
If the asymmetric key stored in the EKM module is lost, we have to restore the key from the HSM device to decrypt the database files either backup or data files so we can bring it online.
Please refer to Enable TDE on SQL Server Using EKM and TDE, EKM and the Asymmetric Key which might be
helpful.
Best Regards,
Amelia
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.