Upgrade nDSOP

This section will perform the migration of the Entrust Database Security Option Pack (nDSOP).

From Version To Version

v1.0

v2.1

Product configurations

Product Version

Base OS

Windows Server 2016 Datacenter

SQL Server

Microsoft 2016 Enterprise with Service Pack 2

Microsoft SQL Server Management Studio

v18.8

Supported nShield hardware and software versions

Product Security World Firmware Netimage

Connect XC

12.60.11 with v2 Compatibility Package

12.50.11 (FIPS Certified)

12.60.10

Procedure

The following procedure will be performed on a Windows Server 2016 with Microsoft SQL Server 2106, and nDSOP v1.0. A database called TestDatabase has been created and encrypted and will be used in this procedure.

  1. Backup the Security World.

  2. Backup the database.

  3. Run the following query to verify the encryption state.

    /****** Script for SelectTopNRows command from SSMS  ******/
SELECT DB_NAME(e.database_id) AS DatabaseName, e.database_id, e.encryption_state, CASE e.encryption_state 
WHEN 0 THEN 'No database encryption key present, no encryption' 
WHEN 1 THEN 'Unencrypted' 	
WHEN 2 THEN 'Encryption in progress' 	
WHEN 3 THEN 'Encrypted' 	
WHEN 4 THEN 'Key change in progress' 
WHEN 5 THEN 'Decryption in progress' 	
END AS encryption_state_desc, c.name, e.percent_complete FROM sys.dm_database_encryption_keys AS e 
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint

  4. Disable the EKM provider. Select Security Cryptographic Providers. Right-click on the provider and select Disable.

    Upgrade Disable EKM Provider 1
    Upgrade Disable EKM Provider 2

  5. Restart the SQL Server from the Windows MSSMS or services.

    Upgrade Restart SQL Server

  6. Wait for 60 seconds after the restart. Then check the database status. Notice Recovery Pending next to TestDatabase.

    Upgrade Recovery Pending

  7. Un-install nDSOP v1.01 EKM provider using the Windows Control Panel > Programs > Programs and Features.

  8. Install nDSOP v2.1 EKM provider by mounting the .iso file and double-clicking setup.

  9. Insert the OCS in the HSM slot or TVD. No action is needed if you are using Softcard protection.

  10. Retarget the keys by running the sqlekm_retarget_keys command:

    C:\Users\Administrator>nfkminfo -k

Key list - 2 keys
 AppName pkcs11               Ident uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-56ac051fb249f91e641b065dc12fec8a9fea2419
 AppName pkcs11               Ident uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-c88b06f02bdca29f2a98b9c9352daf9191fc8afd

C:\Users\Administrator>sqlekm_retarget_keys --all
Found 2 keys to retarget
Retargetted: key_pkcs11_uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-c88b06f02bdca29f2a98b9c9352daf9191fc8afd
Retargetted: key_pkcs11_uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-56ac051fb249f91e641b065dc12fec8a9fea2419

C:\Users\Administrator>nfkminfo -k

Key list - 4 keys
 AppName pkcs11               Ident uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-56ac051fb249f91e641b065dc12fec8a9fea2419
 AppName pkcs11               Ident uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-c88b06f02bdca29f2a98b9c9352daf9191fc8afd
 AppName simple               Ident sqlekm-79dfaf7c3311d22d240a7257e5e760ede89fbc70-b1844c5bb4eadbdb1166dcdb64f4c5d59e4e408c
 AppName simple               Ident sqlekm-79dfaf7c3311d22d240a7257e5e760ede89fbc70-fa9380a3e111df122b0e02dd37c1233da89b8e16

  11. Open the C:\ProgramData\nCipher\Key Management Data\local folder. Move all pkcs11 keys to another folder. Leave the simple keys in the current folder.

    C:\ProgramData\nCipher\Key Management Data>mkdir local_pcks11_keys

C:\ProgramData\nCipher\Key Management Data>move local\key_pkcs11* local_pcks11_keys\.
C:\ProgramData\nCipher\Key Management Data\local\key_pkcs11_uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-56ac051fb249f91e641b065dc12fec8a9fea2419
C:\ProgramData\nCipher\Key Management Data\local\key_pkcs11_uc79dfaf7c3311d22d240a7257e5e760ede89fbc70-c88b06f02bdca29f2a98b9c9352daf9191fc8afd
        2 file(s) moved.

C:\ProgramData\nCipher\Key Management Data>nfkminfo -k

Key list - 2 keys
 AppName simple               Ident sqlekm-79dfaf7c3311d22d240a7257e5e760ede89fbc70-b1844c5bb4eadbdb1166dcdb64f4c5d59e4e408c
 AppName simple               Ident sqlekm-79dfaf7c3311d22d240a7257e5e760ede89fbc70-fa9380a3e111df122b0e02dd37c1233da89b8e16

  12. Set the new provider by running the following query:

    --ChangeToNewProvider.sql

ALTER CRYPTOGRAPHIC PROVIDER nDSOP 
FROM FILE = 'C:\Program Files\nCipher\nfast\bin\ncsqlekm.dll';  
GO

  13. Enable the EKM provider. Select Security > Cryptographic Providers. Right-click the provider and select Enable.

    Upgrade Enable EKM Provider

  14. Verify the new EKM provider version by running the following query. Notice the provider_version.

    SELECT * FROM sys.dm_cryptographic_provider_properties;
    Upgrade Verify New Provider

  15. Restart the SQL Server from the Windows MSSMS or services. Wait for 60 seconds after the restart.

  16. Check and refresh database status. Notice the Recovery Pending message next to the TestDatabase goes away.

  17. Verify the encryption state by running the following query. Notice the encryption_state_desc shown as Encrypted.

    /****** Script for SelectTopNRows command from SSMS  ******/
SELECT DB_NAME(e.database_id) AS DatabaseName, e.database_id, e.encryption_state, CASE e.encryption_state 
WHEN 0 THEN 'No database encryption key present, no encryption' 
WHEN 1 THEN 'Unencrypted' 	
WHEN 2 THEN 'Encryption in progress' 	
WHEN 3 THEN 'Encrypted' 	
WHEN 4 THEN 'Key change in progress' 
WHEN 5 THEN 'Decryption in progress' 	
END AS encryption_state_desc, c.name, e.percent_complete FROM sys.dm_database_encryption_keys AS e 
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint
    Upgrade New Encryption State