Getting Started with Microsoft SQL AE
Microsoft SQL Server Always Encrypted is a security feature designed to protect sensitive data stored in SQL Server databases. It allows clients to encrypt sensitive data within client applications, ensuring that encryption keys are never revealed to the Database Engine. This separation of access prevents unauthorized users, such as on-premises database administrators, from viewing sensitive information.
This quickstart section provides a comprehensive guide outlining the steps necessary to integrate Microsoft SQL Server Always Encrypted with Securosys Hardware Security Modules, cloud and on-premises.
1. Prerequisites
Before starting the process of integrating the Securosys CloudHSM or on-premises Primus HSM with Microsoft SQL Server - Always Encrypted please ensure your Primus HSM is already configured and that MS SQL Server is already installed and configured with a database created.
Your CloudHSM partition comes preconfigured for use with MS SQL Server (subject to appropriate licensing).
For more details visit the Prerequisites page.
2. Primus CNG/KSP Provider
Refer to the Primus MS CNG Provider documentation on how to download, install and configure the Primus CNG/KSP Provider.
Ensure that the CNG API is both licensed and activated on your HSM device or within your CloudHSM subscription.
3. Creating Column Master Key
Create a Column Master Key (CMK) using either CloudHSM or on-premises Primus HSM. This key will encrypt all subsequent Column Encryption Keys (CEK).
Both Windows GUI and CLI can be used to create a CMK.
For more details visit the Creating Column Master Key page.
4. Creating Column Encryption Key
There are two approaches to generate the Column Encryption Key (CEK) in this document we describe the procedure of defining the CEKs explicitly within the Security
folder where the the CMK was defined, having the advantage to name the CEKs manually.
Both Windows GUI and CLI can be used to create the CEKs.
For more details visit the Creating Column Encryption Key page.
5. Enabling Column Encryption on the Database Table
Enable Column Encryption on the database table using the previously generated CMK and CEKs.
Both GUI and CLI can be used to enable Column Encryption.
For more details visit the Enable Column Encryption on the Database Table page.
6. Decrypt a Column Encrypted Database
Additional database connection parameters are required to show encrypted columns in plaintext.
For more details visit the Connecting to Column Encrypted Database
7. Concepts
For more information about Always Encrypted and references used in this document visit the Concepts section.