Configuring Microsoft SQL Server for EKM
This section explains how to configure Microsoft SQL Server for EKM.
Ensure you have configured the KeyControl Vault Database Connector. See Configuring KeyControl Vault Database Connector .
Configure EKM on the SQL Server
To configure Extensible Key Management (EKM) on the SQL Server.
-
Connect with the server.
-
Enable Extensible Key Management. Run the following Commands:
Copysp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO -
Create Cryptographic Provider:
CopyCREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = 'c:\program files\hcs\bin\htsqlekm_provider.dll';
GO
Configure Cryptographic Provider on SQL Server
To create the KeyControl Vault access token and configure the cryptographic provider on SQL Server.
-
On KeyControl WebGUI interface, navigate to CloudKeys > Keysets > database connectors.
-
Select the database connector and from the Action menu, select Generate Access Token.
-
Copy the access token to your SQL Server and use SQL commands to create “Credential" for your cryptographic provider.
-
Create a credential to be used by system administrators, using the Access Token (Identity and Secret) that you copied to your SQL Studio Server.
CopyCREATE CREDENTIAL sa_ekm_tde_cred
WITH IDENTITY = '<Connector name>',
SECRET = '<Secret Access Key>'
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ;
GO -
Add the credential to privileged user with domain login in the format [DOMAIN\login].
CopyALTER LOGIN [DOMAIN\login]
ADD CREDENTIAL "sa_ekm_tde_cred"; -- Credential created at step 3
GO
