Setting Up a Microsoft SQL Server Cluster for TDE

When you set up a failover cluster, you will share the same Key Set and Cloud VM Set that you created for the primary VM.

  1. Ensure that you have completed all of the previous steps to create and configure the primary VM of your SQL Server cluster.

    Important: The credential for your primary VM must include the credential file path for the identity and secret file. This file path and name must be the same for all nodes in the SQL Server cluster.

    For example: 

    Copy 
    C:\Users\Administrator\sqlcred.conf

    {
        "identity"    : "<the identity copied from the access token>"
        "secret"     : "<the secret copied from the access token>"
    }

    See Configuring Microsoft SQL Server for EKM.

  2. Install and register the Policy Agent on your failover SQL Server VM.

    Note: The failover VM must be registered to the same Cloud VM Set that you created for the primary VM. Ensure that the VM name indicates that this is a failover VM.

    See Installing and Registering the Policy Agent for SQL Server.

  3. Enable TDE on the failover SQL Server VM.

    See Enable TDE on SQL Server.

  4. Create a database connector for the failover SQL Server VM on the same Key Set that you used for the primary SQL Server VM. Ensure that the connector name indicates that this is the failover VM.

    See Configuring a Cryptographic Security Platform Vault Database Connector.

  5. Select the database connector that you just created, and select Actions > Generate Access Token.

    On the Generate Access Token window, the new access token is created and displays both an identity and a secret. You will need to copy these to use when configuring the cryptographic provider.

  6. Using the identity and secret that you copied when you generated the access token, create a credential file in json format.

    Important: This file should have the same name and path that you used for the Primary SQL Server, for example, C:\Users\Administrator\sqlcred.conf.

    Please make sure that Windows did not add an extra .txt extension to the filename.

    Copy 
    {
        "identity"    : "<the identity copied from the access token>",
        "secret"     : "<the secret copied from the access token>"
    }

  7. Use your preferred method to failover to the new failover VM.

  8. Enter the following command to ensure that the TDE Key that you created is visible: 

    Copy 
    USE master;
    select name,thumbprint,algorithm_desc from sys.asymmetric_keys
    GO