The EKM provider requires AppRole auth and the Transit secret engine to be setup
on the Vault server. The steps below can be used to configure Vault ready for the
EKM provider to use it.
Note: The first release of the Vault EKM provider does not support custom
mount paths or namespaces for the AppRole and Transit engines.
Note: rsa-2048 is currently the only supported key type.
-- Replace <approle-role-id> and <approle-secret-id> with the values from-- the earlier vault commands againCREATE CREDENTIAL TransitVaultTDECredentials
WITHIDENTITY='<approle-role-id>',
SECRET ='<approle-secret-id>'FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
GO
CREATE LOGIN TransitVaultTDELogin
FROM ASYMMETRIC KEY TransitVaultAsymmetric;
GO
ALTER LOGIN TransitVaultTDELogin
ADD CREDENTIAL TransitVaultTDECredentials;
GO
-- Replace <approle-role-id> and <approle-secret-id> with the values from-- the earlier vault commands againCREATE CREDENTIAL TransitVaultTDECredentials
WITHIDENTITY='<approle-role-id>', SECRET ='<approle-secret-id>'FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;GO
CREATE LOGIN TransitVaultTDELogin
FROM ASYMMETRIC KEY TransitVaultAsymmetric;GO
ALTER LOGIN TransitVaultTDELogin
ADD CREDENTIAL TransitVaultTDECredentials;GO
Finally, you can enable TDE and protect the database encryption key with
the asymmetric key managed by Vault's Transit secret engine:
CREATEDATABASE TestTDE
GO
USE TestTDE;
GO
CREATEDATABASE ENCRYPTION KEYWITHALGORITHM= AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetric;
GO
ALTERDATABASE TestTDE
SET ENCRYPTION ON;
GO
CREATEDATABASE TestTDE
GO
USE TestTDE;GO
CREATEDATABASE ENCRYPTION KEYWITHALGORITHM= AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetric;GO
ALTERDATABASE TestTDE
SET ENCRYPTION ON;GO
Check the status of database encryption using the following queries:
SELECT*FROM sys.dm_database_encryption_keys;SELECT(SELECT name FROM sys.databasesWHERE database_id = k.database_id)as name,
encryption_state, key_algorithm, key_length,
encryptor_type, encryption_state_desc, encryption_scan_state_desc FROM sys.dm_database_encryption_keys k;
SELECT*FROM sys.dm_database_encryption_keys;SELECT(SELECT name FROM sys.databasesWHERE database_id = k.database_id)as name, encryption_state, key_algorithm, key_length, encryptor_type, encryption_state_desc, encryption_scan_state_desc FROM sys.dm_database_encryption_keys k;