Configuring Microsoft SQL Server for EKM
This section explains how to configure Microsoft SQL Server for EKM.
Ensure you have configured the KeyControl Database Connector. See Configuring KeyControl Database Connector .
Configure EKM on the SQL Server
To configure Extensible Key Management (EKM) on the SQL Server.
-
Connect with the server.
-
Enable Extensible Key Management. Run the following Commands:
Copysp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO -
Create Cryptographic Provider:
CopyCREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = 'c:\program files\hcs\bin\htsqlekm_provider.dll';
GO
Configure Cryptographic Provider on SQL Server
To create the KeyControl access token and configure the cryptographic provider on SQL Server.
-
On KeyControl WebGUI interface, navigate to CloudKeys > Keysets > database connectors.
-
Select the database connector and from the Action menu, select Generate Access Token.
-
Copy the access token to your SQL Server and use SQL commands to create “Credential" for your cryptographic provider.
-
Create a credential to be used by system administrators, using the Access Token (Identity and Secret) that you copied to your SQL Studio Server.
CopyCREATE CREDENTIAL sa_ekm_tde_cred
WITH IDENTITY = '<Connector name>',
SECRET = '<Secret Access Key>'
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ;
GO -
Add the credential to privileged user with domain login in the format [DOMAIN\login].
CopyALTER LOGIN [DOMAIN\login]
ADD CREDENTIAL "sa_ekm_tde_cred"; -- Credential created at step 3
GO
