Upgrade nDSOP from v2.1.0 to v2.1.1

From version To version

v2.1.0 (hotfix-Z166345-TAC1058)

v2.1.1

Product configurations

Product Version

Base OS

Windows Server 2022 Datacenter

SQL Server

Microsoft SQL Server Enterprise 2022

Microsoft SQL Server Management Studio

v20.2.1

Tested nShield hardware and software versions

HSM Security World Firmware Netimage

nShield 5c

13.3.2

13.4.5 (FIPS 140-3 certified)

13.6.7

Procedure

A database called TestDatabase has been created and encrypted and will be used in this procedure.

  1. backup-recovery.adoc#backup-security-world.

  2. backup-recovery.adoc#backup-database.

  3. Run the following query to verify the encryption state.

    /****** Script for SelectTopNRows command from SSMS  ******/
SELECT DB_NAME(e.database_id) AS DatabaseName, e.database_id, e.encryption_state, CASE e.encryption_state 
WHEN 0 THEN 'No database encryption key present, no encryption' 
WHEN 1 THEN 'Unencrypted' 	
WHEN 2 THEN 'Encryption in progress' 	
WHEN 3 THEN 'Encrypted' 	
WHEN 4 THEN 'Key change in progress' 
WHEN 5 THEN 'Decryption in progress' 	
END AS encryption_state_desc, c.name, e.percent_complete FROM sys.dm_database_encryption_keys AS e 
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint

  4. Disable the EKM provider. Select Security Cryptographic Providers. Right-click on the provider and select Disable.

    Upgrade Disable EKM Provider 1 2p1p1
    Upgrade Disable EKM Provider 2 2p1p1

  5. Restart the SQL Server from the Windows MSSMS or services.

    Upgrade Restart SQL Server

  6. Wait for 60 seconds after the restart. Then check the database status. Notice Recovery Pending next to TestDatabase.

    Upgrade Recovery Pending 2p1p1

  7. Un-install nDSOP v2.1.0 EKM provider using the Windows Control Panel > Programs > Programs and Features.

  8. Install nDSOP v2.1.1 EKM provider by mounting the .iso file and double-clicking setup.

  9. Insert the OCS in the HSM slot or TVD. No action is needed if you are using Softcard protection.

  10. Set the new provider by running the following query:

    --ChangeToNewProvider.sql

ALTER CRYPTOGRAPHIC PROVIDER nDSOP 
FROM FILE = 'C:\Program Files\nCipher\nfast\bin\ncsqlekm.dll';  
GO

  11. Enable the EKM provider. Select Security > Cryptographic Providers. Right-click the provider and select Enable.

    Upgrade Enable EKM Provider 2p1p1

  12. Verify the new EKM provider version by running the following query. Notice the provider_version.

    SELECT * FROM sys.dm_cryptographic_provider_properties;
    Upgrade Verify New Provider 2p1p1

  13. Restart the SQL Server from the Windows MSSMS or services. Wait for 60 seconds after the restart.

  14. Check and refresh database status. Notice the Recovery Pending message next to the TestDatabase goes away.

  15. Verify the encryption state by running the following query. Notice the encryption_state_desc shown as Encrypted.

    /****** Script for SelectTopNRows command from SSMS  ******/
SELECT DB_NAME(e.database_id) AS DatabaseName, e.database_id, e.encryption_state, CASE e.encryption_state 
WHEN 0 THEN 'No database encryption key present, no encryption' 
WHEN 1 THEN 'Unencrypted' 	
WHEN 2 THEN 'Encryption in progress' 	
WHEN 3 THEN 'Encrypted' 	
WHEN 4 THEN 'Key change in progress' 
WHEN 5 THEN 'Decryption in progress' 	
END AS encryption_state_desc, c.name, e.percent_complete FROM sys.dm_database_encryption_keys AS e 
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint
    Upgrade New Encryption State 2p1p1