Introduction

This document describes how to integrate Microsoft SQL Server with the nShield Database Security Option Pack (nDSOP) using an Entrust nShield hardware security module (HSM) as a Root of Trust. Entrust nShield HSMs (referred to as HSM in this guide) provide FIPS certified solutions to generate and secure the keys used to encrypt and decrypt the database.

Product configurations

Entrust tested the integration with the following versions:

Product Version

Base OS

Windows Server Datacenter 2025

SQL Server

Microsoft SQL Server Enterprise 2022

Microsoft SQL Server Management Studio (SSMS)

v20.2.1

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

HSM Security World Software Firmware Netimage

Connect XC

13.6.8

13.4.5 (FIPS 140-3 certified)

13.6.7

nShield 5c

13.6.8

12.72.3 (FIPS 140-2 certified)

13.6.7

Security World Software v13.6.8 is the first release supporting Window Server 2025.

Supported nShield SQLEKM provider:

Product Version

nDSOP

v2.1.1

Supported nShield functionality

Functionality Support

FIPS 140 Level 3

Yes

Key Management

Yes

Key Generation

Yes

Key Recovery

Yes

1 of N Card Set

Yes

Softcards

Yes

Module Only Key

No

Fail Over

Yes

Load Balancing

Yes

nSaaS

Yes

Requirements

Be familiar with:

  • The Microsoft SQL Server features and documentation.

  • The Microsoft SQL Server Management Studio features and documentation.

  • The T-SQL language. The minimum requirement for T-SQL is a basic understanding of SQL tasks such as creating a database or tables.

  • Database security concepts and practices.

  • The nShield Documentation.

Terms

Acronym Definition

SQLEKM

SQL Server Extensible Key Management

TDEKEK

TDE Key Encryption Key

TDEDEK

TDE Database Encryption Key