Configuring Microsoft SQL Server Transparent Database Encryption (TDE) key management with IBM Guardium Cryptography Manager for multinode cluster setup

Edit online

You can configure Microsoft SQL Server Transparent Database Encryption (TDE) key management with IBM® Guardium® Cryptography Manager 2.0.1 for multinode cluster setup with EKM Provider in a SQL Server Always On Availability Groups (AG) environment.

Before you begin

  • Install MSSQL Enterprise Edition MSSQL Server 2012 or later.
  • Install EKM module on all nodes. For more information, see Download the EKM installer.
  • Configure TDE client. For more information, see Configuring TDE client.
  • Create and activate asymmetric key. Form more information, see Creating asymmetric key.
  • Configure SQL Server Always On Availability Groups.
  • Enable full recovery mode for databases.
  • Ensure network connectivity between all nodes.

About this task

The cluster environment consists of:
  • Architecture: SQL Server Always On Availability Groups (AG).
  • Storage: Each node has its own local storage (no shared disks).
  • Replication: Databases are replicated from primary replica to secondary replicas.
  • Failover: Switching to another replica with its own copy of the database.

Complete the following steps to setup Microsoft SQL Server with EKM Provider in a SQL Server Always On Availability Groups (AG) environment.

Procedure

Initial EKM Setup on Primary Replica
  1. Enable advanced configuration options
    Enable access to the advanced MSSQL Server configuration options that are hidden by default. 
    USE master;
GO
EXEC sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
    Where,
    • sp_configure 'show advanced options', 1: Displays advanced server configuration options.
    • RECONFIGURE: Applies the configuration change immediately.
  2. Enable EKM Provider
    Enable Extensible Key Management (EKM) functionality in MSSQL Server. EKM allows SQL Server to use external cryptographic providers for key management. 
    EXEC sp_configure 'EKM provider enabled', 1;
GO
RECONFIGURE;
GO
  3. Register the Guardium Cryptography Manager EKM Provider
    Register the Guardium Cryptography Manager EKM Provider DLL with MSSQL Server. 
    CREATE CRYPTOGRAPHIC PROVIDER GCMEKMProvider
FROM FILE = 'C:\Program Files\IBM\GCM EKM Provider\IBM_GCM_EKM_Provider.dll'
GO
    Where,
    • GCMEKMProvider: Name of the cryptographic provider.
    • FROM FILE: Specifies the full path to the provider DLL.
  4. Create authentication credentials
    Create authentication credentials for connecting to the Guardium Cryptography Manager EKM Provider. Credentials are stored encrypted in MSSQL Server. 
    CREATE CREDENTIAL GCMEKMCredential
    WITH IDENTITY = 'gcm-identity',
    SECRET = 'gcm-secret'
FOR CRYPTOGRAPHIC PROVIDER GCMEKMProvider;
GO
    Parameters:
    • GCMEKMCredential: Name for the SQL Server credential object.
    • IDENTITY: Placeholder value (SQL Server requirement; not used for GCM authentication).
    • SECRET: Placeholder value (SQL Server requirement; not used for GCM authentication).
    • GCMEKMProvider: Name of the registered EKM provider.
  5. Link Credential to Login
    Link the EKM credential to a specific MSSQL Server login. This login will use the credential to access the EKM provider to create and manage asymmetric keys. 
    ALTER LOGIN "<domain>\<login>" ADD CREDENTIAL GCMEKMCredential;

    Where, "<domain>\<login>": Microsoft SQL Server administrator's login (replace <domain> with your domain name and <login> with your username).

  6. Create Asymmetric Key Reference
    Create a reference to an existing asymmetric key stored in Guardium Cryptography Manager. 
    CREATE ASYMMETRIC KEY AsymmetricKeyReference
FROM PROVIDER GCMEKMProvider
WITH
CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'PUBLIC-KEY--UUID';
    Where,
    • AsymmetricKeyReference: Local name for the key in MSSQL Server.
    • CREATION_DISPOSITION = OPEN_EXISTING: Uses an existing key from Guardium Cryptography Manager (does not create new).
    • PROVIDER_KEY_NAME: The unique identifier of the public key in Guardium Cryptography Manager (format: KEY--UUID#).
  7. Create TDE Credentials and Login
    1. Create a dedicated credential for TDE operations. 
      CREATE CREDENTIAL GCMEKM_TDECredential
    WITH IDENTITY = 'gcm-identity',
    SECRET = 'gcm-secret'
FOR CRYPTOGRAPHIC PROVIDER GCMEKMProvider;
GO
      Where,
      • GCMEKM_TDECredential: Name for the SQL Server credential object.
      • IDENTITY: Placeholder value (SQL Server requirement; not used for Guardium Cryptography Manager authentication).
      • SECRET: Placeholder value (SQL Server requirement; not used for Guardium Cryptography Manager authentication).
      • GCMEKMProvider: Name of the registered EKM provider.
    2. Create MSSQL Server login mapped to the asymmetric key for database encryption key operations. 
      CREATE LOGIN GCMEKM_TDELogin
FROM ASYMMETRIC KEY AsymmetricKeyReference;
GO

      Where, GCMEKM_TDELogin: Name of the login for TDE operations.

    3. Link the TDE credential to the TDE login. 
      ALTER LOGIN GCMEKM_TDELogin
ADD CREDENTIAL GCMEKM_TDECredential;
GO
  8. Create and encrypt database
    1. To test TDE functionality, you can either create a new database or use an existing one.
      • Create a new database. 
        CREATE DATABASE TestDB
GO

        OR

      • Use an existing database. 
        USE TestDB
GO
    2. Create the Database Encryption Key (DEK) for TDE. 
      CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY AsymmetricKeyReference;
GO
      Where,
      • ALGORITHM = AES_256: Uses AES 256-bit encryption (strongest available).
      • ENCRYPTION BY SERVER ASYMMETRIC KEY: The DEK is encrypted by the asymmetric key from Guardium Cryptography Manager.
    3. Enable TDE on the database. 
      ALTER DATABASE TestDB
SET ENCRYPTION ON;
GO
  9. Verify encryption status
    1. Verify encryption status. 
      SELECT * FROM sys.dm_database_encryption_keys;
      Where,
      • Output shows database_id, encryption_state, key_algorithm, and other encryption details.
      • encryption_state values:
        • 0 = No encryption
        • 1 = Unencrypted
        • 2 = Encryption in progress
        • 3 = Encrypted
        • 4 = Key change in progress
        • 5 = Decryption in progress
    2. View detailed encryption status query. 
      SELECT (SELECT name FROM sys.databases WHERE database_id = k.database_id) as name,
    encryption_state, key_algorithm, key_length,
    encryptor_type, encryption_state_desc, encryption_scan_state_desc
FROM sys.dm_database_encryption_keys k;
      Where,
      • name: Database name.
      • encryption_state: Numeric encryption state.
      • key_algorithm: Encryption algorithm used (e.g., AES).
      • key_length: Key length in bits (e.g., 256)
      • encryptor_type: Type of encryptor (asymmetric key, certificate, etc.)
      • encryption_state_desc: Human-readable encryption state.
      • encryption_scan_state_desc: Current scan status during encryption.
EKM Setup on Secondary Replicas
Key points:
  • Install EKM module on each secondary replica.
  • Each replica requires its own EKM configuration.
  • Databases created on one replica do not automatically appear on other replicas in AG.
Note:
Initial EKM Provider Configuration (One-Time Setup)
  • Steps 10-14 are only required if the EKM provider is not already configured on the secondary replica. If the EKM provider is already registered, skip to Step 15.
  1. Enable advanced configuration options (if not already configured)
    Enable access to the advanced MSSQL Server configuration options that are hidden by default. 
    USE master;
GO
EXEC sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
  2. Enable EKM Provider (if not already configured)
    Enable Extensible Key Management (EKM) functionality in MSSQL Server. 
    EXEC sp_configure 'EKM provider enabled', 1;
GO
RECONFIGURE;
GO
  3. Register EKM Module on secondary replica (if not already configured)
    Register the Guardium Cryptography Manager EKM Provider DLL with MSSQL Server. 
    CREATE CRYPTOGRAPHIC PROVIDER GCMEKMProvider
FROM FILE = 'C:\Program Files\IBM\GCM EKM Provider\IBM_GCM_EKM_Provider.dll'
GO
  4. Create authentication credentials (if not already configured)
    Create authentication credentials for connecting to the Guardium Cryptography Manager EKM Provider. 
    CREATE CREDENTIAL GCMEKMCredential
    WITH IDENTITY = 'gcm-identity',
    SECRET = 'gcm-secret'
FOR CRYPTOGRAPHIC PROVIDER GCMEKMProvider;
GO
    Parameters:
    • GCMEKMCredential: Name for the SQL Server credential object.
    • IDENTITY: Placeholder value (SQL Server requirement; not used for GCM authentication).
    • SECRET: Placeholder value (SQL Server requirement; not used for GCM authentication).
    • GCMEKMProvider: Name of the registered EKM provider.
  5. Link credential to login (if not already configured)
    Link the EKM credential to a specific MSSQL Server login. 
    ALTER LOGIN "<domain>\<login>" ADD CREDENTIAL GCMEKMCredential;

    Where, "<domain>\<login>": Microsoft SQL Server administrator's login (replace <domain> with your domain name and <login> with your username).

Database replication in Availability Groups

Understanding AG Replication

In Always On Availability Groups:
  • Databases created on the primary replica do not automatically appear on secondary replicas.
  • You must explicitly add the database to the Availability Group.
  • SQL Server will then replicate it to secondary replicas.
  • Until added to AG, worker replicas do not show the database.
Prerequisites for adding database to AG
  • Database must be in FULL recovery mode.
  • Take full backup.
  • Take transaction log backup.
  1. Prepare database on primary replica
    1. Create backup directory (if it doe not exist):
      1. Create a folder on the primary replica, for example: C:\Backup\
      2. Ensure SQL Server service account has write permissions to this directory
    2. Take database backups 
      USE master;
GO

ALTER DATABASE [YourDatabaseName] SET RECOVERY FULL;

-- Replace 'C:\Backup\' with your actual backup directory path
BACKUP DATABASE [YourDatabaseName] TO DISK = 'C:\Backup\YourDatabaseName.bak';
BACKUP LOG [YourDatabaseName] TO DISK = 'C:\Backup\YourDatabaseName.trn';
      Note:

      The backup files (.bak and .trn) is created in the specified directory on the primary replica.

  2. Copy backup files to secondary replicas
    Note:

    If backup files are not automatically copied to secondary replicas, you must manually transfer them.

    1. Locate the backup files on the primary replica (e.g., C:\Backup\YourDatabaseName.bak and C:\Backup\YourDatabaseName.trn)
    2. Create a backup directory on each secondary replica (e.g., C:\Backup\)
    3. Copy both files (.bak and .trn) from the primary replica to the same directory on each secondary replica
    4. Ensure SQL Server service account on secondary replicas has read permissions to these files
    For example:
    • Primary replica: C:\Backup\YourDatabaseName.bak → Secondary replica: C:\Backup\YourDatabaseName.bak
    • Primary replica: C:\Backup\YourDatabaseName.trn → Secondary replica: C:\Backup\YourDatabaseName.trn
  3. Create asymmetric key reference on secondary replica
    Run the following command for each database that you want to replicate. Create a reference to the same asymmetric key that exists on the primary replica. 
    CREATE ASYMMETRIC KEY AsymmetricKeyReference_Secondary
FROM PROVIDER GCMEKMProvider
WITH
CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'PUBLIC-KEY--UUID';
    Where,
    • AsymmetricKeyReference_Secondary: Local name for the key in MSSQL Server (must match the name used on primary replica).
    • CREATION_DISPOSITION = OPEN_EXISTING: Uses an existing key from Guardium Cryptography Manager (does not create new).
    • PROVIDER_KEY_NAME: The unique identifier of the public key in Guardium Cryptography Manager (format: PUBLIC-KEY--UUID#).
    Note:

    Use the exact same PUBLIC-KEY--UUID value in PROVIDER_KEY_NAME as used on the primary replica.

  4. Create TDE credentials and login on secondary replica
    1. Create a dedicated credential for TDE operations. 
      CREATE CREDENTIAL GCMEKM_TDECredential_Secondary
    WITH IDENTITY = 'gcm-identity',
    SECRET = 'gcm-secret'
FOR CRYPTOGRAPHIC PROVIDER GCMEKMProvider;
GO
      Parameters:
      • GCMEKM_TDECredential_Secondary: Name for the SQL Server credential object.
      • IDENTITY: Placeholder value (SQL Server requirement; not used for Guardium Cryptography Manager authentication).
      • SECRET: Placeholder value (SQL Server requirement; not used for Guardium Cryptography Manager authentication).
      • GCMEKMProvider: Name of the registered EKM provider.
    2. Create MSSQL Server login mapped to the asymmetric key for database encryption key operations. 
      CREATE LOGIN GCMEKM_TDELogin_Secondary
FROM ASYMMETRIC KEY AsymmetricKeyReference_Secondary;
GO
    3. Link the TDE credential to the TDE login. 
      ALTER LOGIN GCMEKM_TDELogin_Secondary
ADD CREDENTIAL GCMEKM_TDECredential_Secondary;
GO
  5. Restore database on secondary replica 
    RESTORE DATABASE [YourDatabaseName]
FROM DISK = 'C:\BACKUP\YourDatabaseName.bak' 
WITH NORECOVERY;

RESTORE LOG [YourDatabaseName]
FROM DISK = 'C:\BACKUP\YourDatabaseName.trn' 
WITH NORECOVERY;

ALTER DATABASE [YourDatabaseName]
SET HADR AVAILABILITY GROUP = [YourAGName];
  6. Verify synchronization
    Check that the database shows a synchronized state in the AG dashboard.
    1. Verify encryption status on secondary replica 
      SELECT * FROM sys.dm_database_encryption_keys;
    2. View detailed encryption status 
      SELECT (SELECT name FROM sys.databases WHERE database_id = k.database_id) as name,
    encryption_state, key_algorithm, key_length,
    encryptor_type, encryption_state_desc, encryption_scan_state_desc
FROM sys.dm_database_encryption_keys k;

    Expected result: encryption_state should be 3 (Encrypted) and encryption_state_desc should show ENCRYPTED.

Enabling encryption on existing replicated databases

Scenario: Database already in AG, need to enable encryption

  1. Enable encryption on primary replica
    Use an existing asymmetric key reference or create a new asymmetric key reference to enable encryption on the database.
    Note: If you create a new asymmetric key reference, you must also create the associated credential and login as described in Step 7.
  2. Create asymmetric key reference on secondary replica
    After enabling encryption on the primary replica, create the corresponding asymmetric key reference on each secondary replica along with the associated credentials and logins (if not already present). 
    CREATE ASYMMETRIC KEY AsymmetricKeyReference_2
FROM PROVIDER GCMEKMProvider
WITH
CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'PUBLIC-KEY--UUID';
    Where,
    • AsymmetricKeyReference_2: Local name for the key in Microsoft SQL Server.
    • CREATION_DISPOSITION = OPEN_EXISTING: Uses an existing key from Guardium Cryptography Manager (does not create new).
    • PROVIDER_KEY_NAME: The unique identifier of the public key in Guardium Cryptography Manager (format: KEY--UUID#).
    Note:

    Use the exact same PUBLIC-KEY--UUID value in PROVIDER_KEY_NAME as used on the primary replica. If the credentials and logins for this asymmetric key reference do not exist on the secondary replica, create them following the same process as described in Step 7.

  3. Take backup after encryption
    Create or verify backup directory on the primary replica (for example, C:\Backup\). Take Fresh Backups: 
    ALTER DATABASE [YourDatabaseName] SET RECOVERY FULL;

-- Replace 'C:\Backup\' with your actual backup directory path
BACKUP DATABASE [YourDatabaseName] TO DISK = 'C:\Backup\YourDatabaseName_after_Encryption.bak';
BACKUP LOG [YourDatabaseName] TO DISK = 'C:\Backup\YourDatabaseName_after_Encryption.trn';
  4. Remove database from AG on secondary (temporarily)
    This is required because SQL Server does not allow manual BACKUP or RESTORE on a database participating as a secondary replica in an AG. 
    ALTER DATABASE [YourDatabaseName] SET HADR OFF;
  5. Restore on secondary replica
    1. Copy backup files
      1. Copy YourDatabaseName_after_Encryption.bak from primary replica to secondary replica (e.g., to C:\Backup\).
      2. Copy YourDatabaseName_after_Encryption.trn from primary replica to secondary replica.
    2. Restore database 
      RESTORE DATABASE [YourDatabaseName]
FROM DISK = 'C:\BACKUP\YourDatabaseName_after_Encryption.bak' 
WITH NORECOVERY;

RESTORE LOG [YourDatabaseName]
FROM DISK = 'C:\BACKUP\YourDatabaseName_after_Encryption.trn' 
WITH NORECOVERY;

ALTER DATABASE [YourDatabaseName]
SET HADR AVAILABILITY GROUP = [YourAGName];
  6. Verify synchronization

    The database should now show as synchronized in the AG dashboard.

    1. Verify encryption status on secondary replica. 
      SELECT * FROM sys.dm_database_encryption_keys;
    2. View detailed encryption status. 
      SELECT (SELECT name FROM sys.databases WHERE database_id = k.database_id) as name,
    encryption_state, key_algorithm, key_length,
    encryptor_type, encryption_state_desc, encryption_scan_state_desc
FROM sys.dm_database_encryption_keys k;

      Expected result: encryption_state should be 3 (Encrypted) and the database should show as synchronized.

Rotating asymmetric key reference in multi-replica environment

You can rotate the asymmetric key reference in a multi-replica environment for Microsoft SQL Server Always On Availability Groups. The rotation is performed on the primary replica, and then the same asymmetric key reference must be created on secondary replicas.

Before you begin
  • Ensure that a new asymmetric key exists in Guardium Cryptography Manager with a unique identifier.
  • Ensure that the Guardium Cryptography Manager EKM Provider is already configured and operational on all replicas.
  • Ensure that you have sysadmin privileges on the Microsoft SQL Server instance.
  • Ensure that the target database already has TDE enabled and is part of the Availability Group.
Note:
  • Key rotation is initiated on the primary replica.
  • After rotation on primary, you must create the same asymmetric key reference on secondary replicas.
  • Rotating the database encryption key does not re-encrypt the entire database; it only changes which key protects the DEK.
  1. Create reference to new asymmetric key on primary replica
    Create a reference to the new asymmetric key that already exists in Guardium Cryptography Manager. This key will be used to re-encrypt the Database Encryption Key (DEK). 
    USE master
GO

CREATE ASYMMETRIC KEY RotatedAsymmetricKeyReference
FROM PROVIDER GCMEKMProvider
WITH
CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'PUBLIC-KEY--UUID';
    Where,
    • RotatedAsymmetricKeyReference: Local name for the new key in SQL Server (can be customized).
    • GCMEKMProvider: Name of the cryptographic provider (must match your existing provider name).
    • CREATION_DISPOSITION = OPEN_EXISTING: References an existing key from Guardium Cryptography Manager.
    • PROVIDER_KEY_NAME: The unique identifier of the new public key in Guardium Cryptography Manager (format: PUBLIC-KEY--UUID where UUID is your new key's identifier).
  2. Create authentication credentials for key rotation
    Create authentication credentials for the key rotation operation. 
    CREATE CREDENTIAL GCMEKM_RotationCredential
    WITH IDENTITY = 'gcm-identity',
    SECRET = 'gcm-secret'
FOR CRYPTOGRAPHIC PROVIDER GCMEKMProvider;
GO
    Parameters:
    • GCMEKM_RotationCredential: Name of the credential object for rotation.
    • IDENTITY: Placeholder value (Microsoft SQL Server requirement, not used for Guardium Cryptography Manager authentication).
    • SECRET: Placeholder value (Microsoft SQL Server requirement, not used for Guardium Cryptography Manager authentication).
    • GCMEKMProvider: Name of the registered EKM provider.
  3. Create login for rotation operation
    Create Microsoft SQL Server login mapped to the new asymmetric key to perform the database encryption key rotation. 
    CREATE LOGIN GCMEKM_RotationLogin
FROM ASYMMETRIC KEY RotatedAsymmetricKeyReference;

    Where, GCMEKM_RotationLogin: Name of the login for the rotation operation (can be customized).

  4. Link credential to login
    Link the rotation credential to the rotation login. 
    ALTER LOGIN GCMEKM_RotationLogin
ADD CREDENTIAL GCMEKM_RotationCredential;
GO
  5. Switch to target database
    Switch context to the database where TDE key rotation will be performed. This database must already have TDE enabled with an existing Database Encryption Key (DEK). 
    USE YourDatabaseName;
GO

    Where, YourDatabaseName: Name of the database with TDE enabled (replace with your actual database name).

  6. Rotate the KEK
    Rotate the KEK on the primary replica. 
    ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY RotatedAsymmetricKeyReference;
    Note:

    Rotating the KEK does not re-encrypt the entire database. It only changes which key protects the DEK.

  7. Verify key rotation on primary replica
    After completing the key rotation, verify the changes on the primary replica.
    1. Check encryption key details. 
      SELECT
    DB_NAME(database_id) as DatabaseName,
    encryption_state_desc,
    key_algorithm,
    key_length,
    encryptor_type,
    encryptor_thumbprint
FROM sys.dm_database_encryption_keys
WHERE DB_NAME(database_id) = 'YourDatabaseName';
    2. Verify the asymmetric key. 
      SELECT
    name,
    thumbprint,
    algorithm_desc,
    pvt_key_encryption_type_desc
FROM sys.asymmetric_keys
WHERE name = 'RotatedAsymmetricKeyReference';
    Expected result:
    • encryption_state_desc should be 'ENCRYPTED'.
    • The encryptor_thumbprint should match the new asymmetric key's thumbprint.
    • The asymmetric key should be listed with correct algorithm details.
  8. Create asymmetric key reference on secondary replicas
    After rotating the key on the primary replica, you must create the same asymmetric key reference on each secondary replica to ensure they can decrypt the database.
    Note:

    Perform the following steps on each secondary replica.

    USE master
GO

CREATE ASYMMETRIC KEY RotatedAsymmetricKeyReference
FROM PROVIDER GCMEKMProvider
WITH
CREATION_DISPOSITION = OPEN_EXISTING,
PROVIDER_KEY_NAME = 'PUBLIC-KEY--UUID';
GO

CREATE CREDENTIAL GCMEKM_RotationCredential
    WITH IDENTITY = 'gcm-identity',
    SECRET = 'gcm-secret'
FOR CRYPTOGRAPHIC PROVIDER GCMEKMProvider;
GO

CREATE LOGIN GCMEKM_RotationLogin
FROM ASYMMETRIC KEY RotatedAsymmetricKeyReference;
GO

ALTER LOGIN GCMEKM_RotationLogin
ADD CREDENTIAL GCMEKM_RotationCredential;
GO
  9. Verify key rotation on secondary replicas
    After creating the asymmetric key reference on secondary replicas, verify the encryption status.
    1. On each secondary replica, verify encryption status. 
      SELECT
    DB_NAME(database_id) as DatabaseName,
    encryption_state_desc,
    key_algorithm,
    key_length,
    encryptor_type,
    encryptor_thumbprint
FROM sys.dm_database_encryption_keys
WHERE DB_NAME(database_id) = 'YourDatabaseName';
    2. Verify whether the asymmetric key exists. 
      SELECT
    name,
    thumbprint,
    algorithm_desc,
    pvt_key_encryption_type_desc
FROM sys.asymmetric_keys
WHERE name = 'RotatedAsymmetricKeyReference';
    Expected result:
    • encryption_state_desc should be 'ENCRYPTED'.
    • The encryptor_thumbprint should match the thumbprint from the primary replica.
    • The asymmetric key should be listed with correct algorithm details.
    Note:

    Changes made on the primary replica automatically replicate to secondary replicas.

    Secondary replicas are read-only.

    Note: To review encryption or decryption activity, or to investigate errors, check the Windows Event Logs. Logs generated by the Guardium Cryptography Manager EKM provider appear in Windows Logs > Application > Event Viewer with the source listed as GCM EKM Provider .