Transparent data encryption (TDE) is a new encryption feature introduced in Microsoft SQL Server 2008. It is designed to provide protection for the entire database at rest without affecting existing applications.

Extensible Key Management (EKM) is another new feature in SQL Server 2008. It enables parts of the cryptographic key hierarchy to be managed by an external source such as Hardware Security Module (HSM), referred to as a cryptographic provider. Encryption and decryption operations using these keys are handled by the cryptographic provider. This allows for flexibility and choice in cryptographic providers as well as common key management. TDE supports asymmetric keys that are provisioned by EKM. No other form of asymmetric key is supported by TDE and database certificates cannot currently be provisioned through EKM. EKM is supported for cell-level encryption through symmetric and asymmetric keys. It is highly recommended that you use EKM with both database- and cell-level encryption for more comprehensive key management and hardware-based cryptography (if available through the HSM).

Extensible Key Management (EKM) enables you to manage your encryption keys via an external provider. Extensible Key Management enables third-party vendors to implement solutions that store keys in a device such as a smart card, USB device, or a hardware security module (HSM). Encryption is the process of obfuscating data by the use of a key or password. This can make the data useless without the corresponding decryption key or password.

Introduction to Extensible Key Management : Some high-security databases use thousands of keys, and you must employ a system to store, retire, and regenerate these keys. Furthermore, you should store these keys separately from the data to improve security.

SQL Server 2008 provides Extensible Key Management, which exposes encryption functionality for use by third-party vendors. These solutions work seamlessly with databases in SQL Server 2005 and SQL Server 2008, and provide enterprise-wide, dedicated key management. This moves the key-management workload from SQL Server to a dedicated key-management system. Extensible Key Management enables key storage in a device such as a smart card or USB drive.

Extensible Key Management in SQL Server 2008 also supports the use of HSMs to provide the physical separation of keys from data. This improves security because the data remains protected even if it is stolen, because the keys are in a separate physical location.

Enabling Extensible Key Management :

Extensible Key Management is switched off by default. You can use the sp_configure stored procedure to enable it.

The following code example shows how to enable Extensible Key Management.

sp_configure 'show advanced', 1 GO RECONFIGURE GO sp_configure 'EKM provider enabled', 1 GO RECONFIGURE GO

To summarize, SQL Server 2008 Extensible Key Management provides the following benefits:

An additional authorization check that enables separation of duties between database administration and key management Improved performance through hardware-based encryption/decryption rather than software-based encryption/decryption External encryption key generation Physical separation of data and keys Encryption key retrieval External encryption key retention and encryption key rotation Easier encryption key recovery Manageable encryption key distribution Secure encryption key disposal