Microsoft SQL Server Always Encrypted

This document describes how to secure data in Microsoft SQL Server using Securosys Hardware Security Modules (HSMs).

Microsoft SQL Server 2019 (15.x) and later offers a feature called “Always Encrypted” (AE). Always Encrypted is designed to protect sensitive data, such as credit card numbers or national identification numbers, both at rest and in transit. This works by encrypting data on the client-side before it is even sent to SQL Server.

There are a couple of good reasons why Always Encrypted should be used:

• Regulatory support: Personal data must be protected by an ever increasing number of industry regulations, such as EU GDPR or US HIPAA.
• Data Security: Because AE encrypts data at the client, it adds protection both in-transit (between the client and the database server) and at-rest (on the database server)

Architecture

The Always Encrypted feature of Microsoft SQL Server encrypts and decrypts data on the client, using an AE-enabled database driver. This driver uses the Primus CNG Provider to access Primus HSM. The CNG Provider is installed on the same machine as the business application and the database driver. In this way, the database driver can leverage the HSM as a secure key store.

Target Audience

This document is intended for Securosys Primus HSM or Microsoft administrators and IT professionals in charge of the Microsoft SQL Server administration. This guide requires that you are already familiar with Microsoft Windows Server administration.

For on-premise HSM deployments, administrative skills are required to manage Securosys Primus HSM.

Getting Started

For a smooth start integrating your Primus HSM with Microsoft SQL Server:

• Consult the Quick Start Guide for a quick overview.
• For detailed instructions on installing and configuring your CloudHSM or Primus HSM with Microsoft SQL Server, read and follow the Installation section.
• Enable column encryption for Microsoft SQL Server by following the Tutorials section.