Procedures
Prerequisites
-
Entrust KeyControl nodes, the Vault Management node with a Database Vault, have been deployed and configured. For details, see the Entrust KeyControl 10.2 Install & Upgrade Guide in the HyTrust Online documentation: https://docs.hytrust.com/KeyControlVault/10.2/Online/Content/OLH-Files/Help-content-map-all-books.html.
-
Microsoft SQL Server 2022 (Developer Edition) and SQL Server Management Tools have been installed.
Microsoft SQL Server Express Edition does not support EKM so it is not compatible with this integration.
Workflow overview
Throughout this guide, queries will be run from the command line. Examples queries will show how to accomplish the integration of KeyControl and SQL Server. Edit these queries to meet your requirements.
The workflow to accomplish the integration of KeyControl and SQL Server is:
Operations for later:
Configure KeyControl Vault
-
Sign in to your Key Control Vault Management node.
-
Select Create Vault.
-
Enter the Vault Type as Database.
-
Enter the Vault Name.
-
Optional, enter a description.
-
Enter Admin Name.
-
Enter Admin Email.
-
Select Create Vault.
-
Sign in to your vault first with your Admin email and temporary password.
-
Change the Admin password.
-
Sign in to your Database Vault with your new password.
Install the Policy Agent client on the SQL Server machine
-
Sign in to the KeyControl Vault Management WebGUI using an account with Cloud Admin privileges.
-
Select the Workloads tab.
-
Select Actions > Download Policy Agent.
-
Select Download next to
hcs-client-agent-xyz
. -
Copy the download to the machine containing Microsoft SQL Server and run it as
administrator
. -
Navigate through the install with the default options.
-
Select Reboot now.
Register with the KeyControl server
-
Sign in to the KeyControl Vault Management WebGUI.
-
Select the Workloads tab.
-
Select Actions > Create Cloud VM Set.
-
Enter a Name for the Cloud VM Set.
-
Select Create.
-
Sign in to the machine containing SQL Server.
-
Open Entrust DataControl through the Windows Start menu.
-
Select Register.
-
Enter the IP address of the KeyControl Server.
-
Enter the Username of the KeyControl Cloud Admin User.
-
Enter the Password for the KeyControl Cloud Admin User.
-
Enter the name of the previously created Cloud VM Set.
-
Enter the Vault ID (you can find it from the user profile).
-
Select Register.
-
Open an Admin command prompt window.
-
Enable TDE on the server:
C:\Users\Administrator.INTEROP>hcl tde status TDE is not enabled on this VM C:\Users\Administrator.INTEROP>hcl tde enable Enabling tde will change permissions of some Files. Do you want to proceed? (y/n) y C:\Users\Administrator.INTEROP>hcl tde status TDE is enabled on this VM C:\Users\Administrator.INTEROP>hcl status Summary ------------------------------------------------------------------------------- KeyControl: xx.xxx.xxx.xxx:443 KeyControl list: xx.xxx.xxx.xxx:443 Vault ID: 5bd41334-xxxx-xxxx-xxxx-93b369278012 Status: Connected Last heartbeat: Tue May 21 11:22:25 2024 (successful) AES_NI: enabled Certificate Expiration: May 21 14:26:46 2025 GMT Device details ------------------------------------------------------------------------------- Drive Disk Part Cipher Status GUID ------------------------------------------------------------------------------- C: 0 3 none Avail-Sys N/A
The VM will now appear under WORKLOADS > VMs in KeyControl.
Create a TDE database keyset to hold keys
-
Sign in to the KeyControl WebGUI using an account with Cloud Admin privileges.
-
Select the CLOUDKEYS tab.
-
Select Actions > Create Key Set > TDE.
-
Enter a name for the keyset.
-
For Admin Group, select Cloud Admin Group.
-
For Database Type, select Microsoft SQL Server.
-
Select Continue.
-
Leave Enable HSM unchecked.
-
Select Continue.
-
Select an option for the Rotation Schedule.
-
Select Apply. The keyset is created.
-
Select Close.
Create the database connector
-
Select the previously created keyset from the list.
-
Then select the Database Connectors tab.
-
Select Create Connector.
-
Select your machine from the list.
-
Enter a Connector Name.
-
Select an option for the Expiration.
-
Select Create.
To generate and apply an Access Token:
-
Check the box next to the Database Connector in the list and then select Actions > Generate Access Token.
-
Select Generate Token. You will need to copy the Identity and Secret and then paste them into the following queries that will be run.
-
Sign in to the machine containing Microsoft SQL Server and open Microsoft SQL Server Management Studio.
-
Connect to Database Server.
-
Enable and load the EKM provider:
USE master go -- Enable EKM provider sp_configure 'show advanced options', 1 ; GO reconfigure; go sp_configure 'EKM provider enabled', 1 ; GO RECONFIGURE ; GO
-
Set up the login credentials. Edit the query and paste in the previously copied
Identity and Secret
before executing it.-- Load Cryptographic provider CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov FROM FILE = 'C:\Program Files\hcs\bin\htsqlekm_provider.dll'; GO -- Create credential for System Administrator CREATE CREDENTIAL sa_ekm_tde_cred WITH IDENTITY = '', SECRET = '' FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ; GO -- Add credential to admin login ALTER LOGIN [MS-SQL-TDE-KC10\Administrator] ADD CREDENTIAL "sa_ekm_tde_cred"; GO
Create a master key on KeyControl
-
Sign in to the KeyControl WebGUI using an account with Cloud Admin privileges.
-
Select the CLOUDKEYS tab.
-
Select CloudKeys.
-
In the Key Set dropdown, select your previously created TDE keyset.
-
Select Actions > Create CloudKey.
-
Enter a Name for the key.
-
Select a Cipher. See KeyControl product documentation for selecting a cipher best suited for your implementation.
-
Select Continue.
-
Edit the remaining options as needed.
-
Select Apply.
The CloudKey is now created.
-
Select Close.
Create the TDE key within Microsoft SQL Server
-
Create a TDE key:
USE master; CREATE ASYMMETRIC KEY TDE_KEY FROM PROVIDER EKM_Prov WITH PROVIDER_KEY_NAME = 'tdersa2048key', CREATION_DISPOSITION = OPEN_EXISTING; GO
-
Create a login for the TDE user:
CREATE LOGIN TDE_Login FROM ASYMMETRIC KEY TDE_KEY ; GO
-
Create another credential for the TDE login, remembering to edit the
SECRET
andIDENTITY
parameters:CREATE CREDENTIAL tde_ekm_cred WITH IDENTITY = '', SECRET = '' FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ; GO
-
Add this credential to TDE login:
ALTER LOGIN TDE_Login ADD CREDENTIAL tde_ekm_cred GO
Test the database encryption
The following queries test encryption with a database encryption key which is wrapped by the TDE key that was created in Create the TDE key within Microsoft SQL Server.
-
Prepare to use the test database:
USE testdb GO
-
Create a symmetric encryption key for the database which will be wrapped by the TDE key:
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER ASYMMETRIC KEY TDE_KEY; GO
-
Enable encryption on the test database:
ALTER DATABASE testdb SET ENCRYPTION ON ; GO
-
Check the state of keys and encryption:
USE master GO Select * from sys.dm_database_encryption_keys Select * from sys.asymmetric_keys GO SELECT DB_NAME(database_id) AS DatabaseName, encryption_state, encryption_state_desc = CASE encryption_state WHEN '0' THEN 'No database encryption key present, no encryption' WHEN '1' THEN 'Unencrypted' WHEN '2' THEN 'Encryption in progress' WHEN '3' THEN 'Encrypted' WHEN '4' THEN 'Key change in progress' WHEN '5' THEN 'Decryption in progress' WHEN '6' THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed.)' ELSE 'No Status' END, percent_complete,encryptor_thumbprint, encryptor_type FROM sys.dm_database_encryption_keys SELECT DB_NAME(database_id) AS DatabaseName, encryption_state,percent_complete,encryptor_thumbprint, encryptor_type FROM sys.dm_database_encryption_keys
-
If required, you can trace events to debug EKM API usage:
create event session testsession on server add event sqlserver.sec_ekm_provider_called (action (package0.callstack,sqlserver.tsql_stack,sqlserver.client_app_name, sqlserver.client_hostname, sqlserver.context_info, sqlserver.database_name,sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text) where counter <= 100) add target package0.ring_buffer ( set max_memory=1, occurrence_number=1) with (MAX_DISPATCH_LATENCY=1 seconds) go alter event session testsession on server state=start
This concludes the basic workflow for TDE.
Rotate the key manually in KeyControl
Auto-rotation is not supported. |
-
Sign in to the KeyControl WebGUI using an account with Cloud Admin privileges.
-
Select the CLOUDKEYS tab.
-
Select CloudKeys > Key Set, then select a CloudKey from the list.
-
Select Rotate Now. A new version of the key will be created. You can see this in the Versions tab. The new version has a star next to it.
-
Create the new key on Microsoft SQL Server. Edit the Secret and Identity as required.
USE master; CREATE ASYMMETRIC KEY TDE_KEY_v2 FROM PROVIDER EKM_Prov WITH PROVIDER_KEY_NAME = 'tdersa2048key', CREATION_DISPOSITION = OPEN_EXISTING; GO CREATE CREDENTIAL tde_ekm_cred_v2 WITH IDENTITY = 'htdc-tde-cred', SECRET = '' FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ; GO
-
Create new logins for the new key:
CREATE LOGIN TDE_Login_v2 FROM ASYMMETRIC KEY TDE_KEY_v2 ; GO ALTER LOGIN TDE_Login_v2 ADD CREDENTIAL tde_ekm_cred_v2 GO
-
Set the second key as the new key to use:
use testdb GO ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER ASYMMETRIC KEY TDE_KEY_v2; GO
The database encryption key has been rewrapped. Now the test database is encrypted using the database key version 2.
Shut down encryption on the database and remove credentials
-
Shut down encryption:
ALTER DATABASE testdb SET ENCRYPTION OFF ; GO USE testdb DROP DATABASE ENCRYPTION KEY GO USE master GO DROP ASYMMETRIC KEY TDE_KEY DROP ASYMMETRIC KEY TDE_KEY_v2 ALTER LOGIN TDE_Login DROP CREDENTIAL tde_ekm_cred GO DROP LOGIN TDE_Login DROP CREDENTIAL tde_ekm_cred GO ALTER LOGIN TDE_Login_v2 DROP CREDENTIAL tde_ekm_cred_v2 GO DROP LOGIN TDE_Login_v2 DROP credential tde_ekm_cred_v2 GO
-
Remove the credential from the admin login:
ALTER LOGIN [MS-SQL-TDE-KC10\Administrator] DROP CREDENTIAL sa_ekm_tde_cred; GO DROP credential sa_ekm_tde_cred GO