New Vault OSS Now Includes Multi-factor Authentication! Learn more
  • Overview
    • Automated PKI Infrastructure
    • Data Encryption & Tokenization
    • Database Credential Rotation
    • Dynamic Secrets
    • Identity-based Access
    • Key Management
    • Kubernetes Secrets
    • Secrets Management
  • Enterprise
  • Tutorials
  • Docs
  • API
  • Community
GitHubTry Cloud
Download
    • v1.10.x (latest)
    • v1.9.x
    • v1.8.x
    • v1.7.x
    • v1.6.x
    • v1.5.x
    • v1.4.x
  • What is Vault?
  • Use Cases
    • CLI Quick Start
    • HCP Quick Start
    • Developer Quick Start

  • Browser Support
  • Installing Vault
    • Overview
    • Architecture
    • High Availability
    • Integrated Storage
    • Security Model
    • Telemetry
    • Token Authentication
    • Key Rotation
    • Replication
    • Limits and Maximums
    • Overview
    • 'Dev' Server
    • Seal/Unseal
    • Namespace API Lock
    • Lease, Renew, and Revoke
    • Authentication
    • Tokens
    • Identity
    • OIDC Provider
    • Response Wrapping
    • Policies
    • Password Policies
    • Username Templating
    • High Availability
    • Storage
      • Overview
      • Autopilot
    • PGP, GnuPG, and Keybase
    • Recovery Mode
    • Resource Quotas
      • Overview
      • FAQ
    • Transform
    • Mount Migration
    • Overview
      • Overview
      • TCP
    • replication
      • Overview
      • AliCloud KMS
      • AWS KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • HSM PKCS11 ENT
      • Vault Transit
    • sentinel
      • Overview
      • Consul
      • Kubernetes
      • Overview
      • Aerospike
      • Alicloud OSS
      • Azure
      • Cassandra
      • CockroachDB
      • Consul
      • CouchDB
      • DynamoDB
      • Etcd
      • Filesystem
      • FoundationDB
      • Google Cloud Spanner
      • Google Cloud Storage
      • In-Memory
      • Manta
      • MSSQL
      • MySQL
      • OCI Object Storage
      • PostgreSQL
      • Integrated Storage (Raft)
      • S3
      • Swift
      • Zookeeper
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation ENT
    • kms_library ENT
    • Overview
    • agent
      • Overview
      • disable
      • enable
      • list
      • Overview
      • disable
      • enable
      • help
      • list
      • move
      • tune
    • debug
    • delete
      • Overview
      • delete
      • destroy
      • enable-versioning
      • get
      • list
      • metadata
      • patch
      • put
      • rollback
      • undelete
      • Overview
      • lookup
      • renew
      • revoke
      • Overview
      • get
      • inspect
    • list
    • login
    • monitor
    • namespace
      • Overview
      • diagnose
      • generate-root
      • init
      • key-status
      • members
      • migrate
      • raft
      • rekey
      • rotate
      • seal
      • step-down
      • unseal
      • usage
    • path-help
      • Overview
      • deregister
      • info
      • list
      • register
      • reload
      • Overview
      • delete
      • fmt
      • list
      • read
      • write
    • read
      • Overview
      • disable
      • enable
      • list
      • move
      • tune
    • server
    • ssh
    • status
      • Overview
      • capabilities
      • create
      • lookup
      • renew
      • revoke
    • unwrap
    • version
    • version-history
    • write
    • Token Helpers
    • Overview
      • Overview
        • Overview
        • AliCloud
        • AppRole
        • AWS
        • Azure
        • Cert
        • CF
        • GCP
        • JWT
        • Kerberos
        • Kubernetes
        • Overview
        • File
      • Overview
        • Overview
        • Kubernetes
    • Templates
    • Windows service

    • Overview
    • Active Directory
    • AliCloud
    • AWS
    • Azure
    • Consul
    • Cubbyhole
      • Overview
      • Cassandra
      • Couchbase
      • Elasticsearch
      • HanaDB
      • IBM Db2
      • InfluxDB
      • MongoDB
      • MongoDB Atlas
      • MSSQL
      • MySQL/MariaDB
      • Oracle
      • PostgreSQL
      • Redshift
      • Snowflake
      • Custom
    • Google Cloud
    • Google Cloud KMS
      • Overview
      • Azure Key Vault
      • AWS KMS
      • GCP Cloud KMS
    • KMIP ENTERPRISE
      • Overview
      • K/V Version 1
      • K/V Version 2
      • Overview
      • Identity Tokens
      • OIDC Identity Provider
    • MongoDB Atlas
    • Nomad
    • OpenLDAP
    • PKI (Certificates)
    • RabbitMQ
      • Overview
      • Signed Certificates
      • SSH OTP
      • Dynamic Key
    • Terraform Cloud
    • TOTP
      • Overview
      • FF3-1 Tweak Usage
      • Tokenization Transform ENTERPRISE
    • Transit
    • Venafi (Certificates)
    • Overview
    • AppRole
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
      • Overview
      • OIDC Providers
    • Kerberos
    • Kubernetes
    • LDAP
      • Overview
      • FAQ
    • Oracle Cloud Infrastructure
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password

    • App ID DEPRECATED
    • MFA LEGACY / UNSUPPORTED
    • Overview
    • File
    • Syslog
    • Socket
    • Overview
    • Plugin Architecture
    • Plugin Development
    • Plugin Management
    • Plugin Portal
  • Vault Integration Program
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider
        • Overview
        • Running Vault
        • Enterprise Licensing
        • Running Vault on OpenShift
        • Configuration
          • Overview
          • Development
          • Standalone with Load Balanced UI
          • Standalone with TLS
          • Standalone with Audit Storage
          • External Vault
          • Using Kubernetes Auth Method
          • HA Cluster with Consul
          • HA Cluster with Raft
          • HA Enterprise Cluster with Raft
          • HA Enterprise DR Clusters with Raft
          • HA Enterprise Performance Clusters with Raft
          • Vault Agent Injector TLS Configuration
          • Vault Agent Injector TLS with Cert-Manager
        • Overview
        • Annotations
        • Installation
        • Examples
        • Overview
        • Installation
        • Configurations
        • Examples
      • Overview
      • Vault Lambda Extension
      • Running Vault
      • Overview
      • Installation
      • Configuration
      • Troubleshooting
      • Overview
      • Installation
      • Troubleshooting

    • Overview
    • Upgrade Plugins
    • Upgrade to 1.10.x
    • Upgrade to 1.9.x
    • Upgrade to 1.8.x
    • Upgrade to 1.7.x
    • Upgrade to 1.6.3
    • Upgrade to 1.6.2
    • Upgrade to 1.6.1
    • Upgrade to 1.6.0
    • Upgrade to 1.5.3
    • Upgrade to 1.5.2
    • Upgrade to 1.5.1
    • Upgrade to 1.5.0
    • Upgrade to 1.4.6
    • Upgrade to 1.4.5
    • Upgrade to 1.4.4
    • Upgrade to 1.4.1
    • Upgrade to 1.4.0
    • Upgrade to 1.3.10
    • Upgrade to 1.3.9
    • Upgrade to 1.3.8
    • Upgrade to 1.3.5
    • Upgrade to 1.3.4
    • Upgrade to 1.3.3
    • Upgrade to 1.3.2
    • Upgrade to 1.3.0
    • Upgrade to 1.2.7
    • Upgrade to 1.2.6
    • Upgrade to 1.2.5
    • Upgrade to 1.2.4
    • Upgrade to 1.2.1
    • Upgrade to 1.2.0
    • Upgrade to 1.1.2
    • Upgrade to 1.1.1
    • Upgrade to 1.1.0
    • Upgrade to 1.0.0
    • Upgrade to 0.11.6
    • Upgrade to 0.11.2
    • Upgrade to 0.11.0
    • Upgrade to 0.10.4
    • Upgrade to 0.10.2
    • Upgrade to 0.10.0
    • Upgrade to 0.9.6
    • Upgrade to 0.9.3
    • Upgrade to 0.9.2
    • Upgrade to 0.9.1
    • Upgrade to 0.9.0
    • Upgrade to 0.8.0
    • Upgrade to 0.7.0
    • Upgrade to 0.6.4
    • Upgrade to 0.6.3
    • Upgrade to 0.6.2
    • Upgrade to 0.6.1
    • Upgrade to 0.6.0
    • Upgrade to 0.5.1
    • Upgrade to 0.5.0

    • Overview
    • 1.10.0
    • 1.9.0
    • 1.8.0
    • 1.7.0
    • 1.6.0
    • 1.5.0

    • Overview
    • FAQ

    • Overview
    • Feature Deprecation Notice and Plans
    • License
    • Client Count
    • Login MFA
    • Server Side Consistent Token

  • Glossary

    • Overview
      • Overview
      • Autoloading
      • FAQ
    • Replication
      • Overview
      • Behavioral Changes
      • Security
    • Automated Integrated Storage Snapshots
    • Lease Count Quotas
    • Entropy Augmentation
    • Seal Wrap / FIPS 140-2
    • Namespaces
    • Performance Standbys
    • Eventual Consistency
    • Control Groups
    • Managed Keys
      • Overview
      • Duo MFA
      • Okta MFA
      • PingID MFA
      • TOTP MFA
      • Overview
      • Examples
      • Properties
    • HCP Vault
Type '/' to Search

»Installing the Vault EKM Provider

»Prerequisites

  • Vault Enterprise server 1.9+ with a license for the Advanced Data Protection Key Management module
  • Microsoft SQL Server for Windows (SQL Server for Linux does not support EKM)
  • An authenticated Vault client

To check your Vault version and license, you can run:

vault status
vault license get -format=json
vault status
vault license get -format=json

The list of features should include "Key Management Transparent Data Encryption".

»Installing the Vault EKM provider

»Configuring Vault

The EKM provider requires AppRole auth and the Transit secret engine to be setup on the Vault server. The steps below can be used to configure Vault ready for the EKM provider to use it.

Note: The first release of the Vault EKM provider does not support custom mount paths or namespaces for the AppRole and Transit engines.

Note: rsa-2048 is currently the only supported key type.

  1. Set up AppRole auth:

    vault auth enable approle
    vault write auth/approle/role/tde-role \
        token_ttl=20m \
        max_token_ttl=30m \
        token_policies=tde-policy
    
    vault auth enable approle
    vault write auth/approle/role/tde-role \
        token_ttl=20m \
        max_token_ttl=30m \
        token_policies=tde-policy
    
  2. Retrieve the AppRole ID and secret ID for use later when configuring SQL Server:

    vault read auth/approle/role/ekm-encryption-key-role/role-id
    vault write -f auth/approle/role/ekm-encryption-key-role/secret-id
    
    vault read auth/approle/role/ekm-encryption-key-role/role-id
    vault write -f auth/approle/role/ekm-encryption-key-role/secret-id
    
  3. Enable the transit secret engine and create a key:

    vault secrets enable transit
    vault write -f transit/keys/ekm-encryption-key type="rsa-2048"
    
    vault secrets enable transit
    vault write -f transit/keys/ekm-encryption-key type="rsa-2048"
    
  4. Create a policy for the Vault EKM provider to use. The following policy has the minimum required permissions:

    vault policy write tde-policy -<<EOF
    path "transit/keys/ekm-encryption-key" {
        capabilities = ["create", "read", "update", "delete"]
    }
    
    path "transit/keys" {
        capabilities = ["list"]
    }
    
    path "transit/encrypt/ekm-encryption-key" {
        capabilities = ["update"]
    }
    
    path "transit/decrypt/ekm-encryption-key" {
        capabilities = ["update"]
    }
    
    path "sys/license/status" {
        capabilities = ["read"]
    }
    EOF
    
    vault policy write tde-policy -<<EOF
    path "transit/keys/ekm-encryption-key" {
        capabilities = ["create", "read", "update", "delete"]
    }
    
    path "transit/keys" {
        capabilities = ["list"]
    }
    
    path "transit/encrypt/ekm-encryption-key" {
        capabilities = ["update"]
    }
    
    path "transit/decrypt/ekm-encryption-key" {
        capabilities = ["update"]
    }
    
    path "sys/license/status" {
        capabilities = ["read"]
    }
    EOF
    

»Configuring SQL Server

The remaining steps are all run on the database server.

»Install the EKM provider on the server

  1. Download and run the latest Vault EKM provider installer from releases.hashicorp.com

  2. Enter your Vault server's address when prompted and complete the installer

»Configure the EKM provider using SQL

Open Microsoft SQL Server Management Studio, and run the queries below to complete installation.

  1. Enable the EKM feature and create a cryptographic provider using the folder you just installed the EKM provider into.

    -- Enable advanced options
    USE master;
    GO
    
    EXEC sp_configure 'show advanced options', 1;
    GO
    
    RECONFIGURE;
    GO
    
    -- Enable EKM provider
    EXEC sp_configure 'EKM provider enabled', 1;
    GO
    
    RECONFIGURE;
    GO
    
    CREATE CRYPTOGRAPHIC PROVIDER TransitVaultProvider
    FROM FILE = 'C:\Program Files\HashiCorp\Transit Vault EKM Provider\TransitVaultEKM.dll'
    GO
    
    -- Enable advanced options
    USE master;
    GO
    
    EXEC sp_configure 'show advanced options', 1;
    GO
    
    RECONFIGURE;
    GO
    
    -- Enable EKM provider
    EXEC sp_configure 'EKM provider enabled', 1;
    GO
    
    RECONFIGURE;
    GO
    
    CREATE CRYPTOGRAPHIC PROVIDER TransitVaultProvider
    FROM FILE = 'C:\Program Files\HashiCorp\Transit Vault EKM Provider\TransitVaultEKM.dll'
    GO
    
  2. Next, create credentials for an admin to use EKM with your AppRole role and secret ID from above:

    -- Replace <approle-role-id> and <approle-secret-id> with the values from
    -- the earlier vault commands:
    -- vault read auth/approle/role/ekm-encryption-key-role/role-id
    -- vault write -f auth/approle/role/ekm-encryption-key-role/secret-id
    CREATE CREDENTIAL TransitVaultCredentials
        WITH IDENTITY = '<approle-role-id>',
        SECRET = '<approle-secret-id>'
    FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
    GO
    
    -- Replace <domain>\<login> with the SQL Server administrator's login
    ALTER LOGIN "<domain>\<login>" ADD CREDENTIAL TransitVaultCredentials;
    
    -- Replace <approle-role-id> and <approle-secret-id> with the values from
    -- the earlier vault commands:
    -- vault read auth/approle/role/ekm-encryption-key-role/role-id
    -- vault write -f auth/approle/role/ekm-encryption-key-role/secret-id
    CREATE CREDENTIAL TransitVaultCredentials
        WITH IDENTITY = '<approle-role-id>',
        SECRET = '<approle-secret-id>'
    FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
    GO
    
    -- Replace <domain>\<login> with the SQL Server administrator's login
    ALTER LOGIN "<domain>\<login>" ADD CREDENTIAL TransitVaultCredentials;
    
  3. You can now create an asymmetric key using the transit key set up earlier:

    CREATE ASYMMETRIC KEY TransitVaultAsymmetric
    FROM PROVIDER TransitVaultProvider
    WITH
    CREATION_DISPOSITION = OPEN_EXISTING,
    PROVIDER_KEY_NAME = 'ekm-encryption-key';
    
    CREATE ASYMMETRIC KEY TransitVaultAsymmetric
    FROM PROVIDER TransitVaultProvider
    WITH
    CREATION_DISPOSITION = OPEN_EXISTING,
    PROVIDER_KEY_NAME = 'ekm-encryption-key';
    
  4. Create another login from the new asymmetric key:

     -- Replace <approle-role-id> and <approle-secret-id> with the values from
    -- the earlier vault commands again
    CREATE CREDENTIAL TransitVaultTDECredentials
        WITH IDENTITY = '<approle-role-id>',
        SECRET = '<approle-secret-id>'
    FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
    GO
    
    CREATE LOGIN TransitVaultTDELogin
    FROM ASYMMETRIC KEY TransitVaultAsymmetric;
    GO
    
    ALTER LOGIN TransitVaultTDELogin
    ADD CREDENTIAL TransitVaultTDECredentials;
    GO
    
     -- Replace <approle-role-id> and <approle-secret-id> with the values from
    -- the earlier vault commands again
    CREATE CREDENTIAL TransitVaultTDECredentials
        WITH IDENTITY = '<approle-role-id>',
        SECRET = '<approle-secret-id>'
    FOR CRYPTOGRAPHIC PROVIDER TransitVaultProvider;
    GO
    
    CREATE LOGIN TransitVaultTDELogin
    FROM ASYMMETRIC KEY TransitVaultAsymmetric;
    GO
    
    ALTER LOGIN TransitVaultTDELogin
    ADD CREDENTIAL TransitVaultTDECredentials;
    GO
    
  5. Finally, you can enable TDE and protect the database encryption key with the asymmetric key managed by Vault's Transit secret engine:

    CREATE DATABASE TestTDE
    GO
    
    USE TestTDE;
    GO
    
    CREATE DATABASE ENCRYPTION KEY
    WITH ALGORITHM = AES_256
    ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetric;
    GO
    
    ALTER DATABASE TestTDE
    SET ENCRYPTION ON;
    GO
    
    CREATE DATABASE TestTDE
    GO
    
    USE TestTDE;
    GO
    
    CREATE DATABASE ENCRYPTION KEY
    WITH ALGORITHM = AES_256
    ENCRYPTION BY SERVER ASYMMETRIC KEY TransitVaultAsymmetric;
    GO
    
    ALTER DATABASE TestTDE
    SET ENCRYPTION ON;
    GO
    
  6. Check the status of database encryption using the following queries:

    SELECT * FROM sys.dm_database_encryption_keys;
    
    SELECT (SELECT name FROM sys.databases WHERE database_id = k.database_id) as name, 
        encryption_state, key_algorithm, key_length,
        encryptor_type, encryption_state_desc, encryption_scan_state_desc FROM sys.dm_database_encryption_keys k;
    
    
    SELECT * FROM sys.dm_database_encryption_keys;
    
    SELECT (SELECT name FROM sys.databases WHERE database_id = k.database_id) as name, 
        encryption_state, key_algorithm, key_length,
        encryptor_type, encryption_state_desc, encryption_scan_state_desc FROM sys.dm_database_encryption_keys k;
    
    
github logoEdit this page
DocsAPILearnCommunityPrivacySecurityPress KitConsent Manager