--- title: "Fortanix DSM with Microsoft SQL Server TDE - Introduction" slug: "data-security-manager-with-microsoft-sql-server-tde-integration-introduction" updated: 2026-05-05T06:25:24Z published: 2026-05-05T06:25:24Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Fortanix DSM with Microsoft SQL Server TDE - Introduction ## 1.0 Introduction This article describes how to integrate **Fortanix-Data-Security-Manager (DSM)** with **Microsoft SQL Server Transparent Data Encryption (TDE)**. Microsoft Cryptographic Next Generation (CNG) Provider enables the use of Fortanix DSM for the storage of cryptographic keys and cryptographic operations such as key creation, deletion, encryption, decryption, and so on. TDE is more secure as the encryption keys do not reside with the encrypted data. The data can be encrypted using Data Encryption Keys (DEK) and these encryption keys are protected by Master Encryption Key (MEK), which reside in Fortanix DSM. ## 2.0 Product Version Tested The following versions are supported in Fortanix DSM: - **Windows:** v2012, v2016, v2019, v2020, v2022, and v2025 - **Fortanix DSM:** from v3.0 to latest - **Fortanix CNG Provider:** from v3.0 to latest - **SQL Server TDE Features** | **Feature** | **Standard** | **Enterprise** | **Web** | **Express with Advanced Services** | **Express** | | --- | --- | --- | --- | --- | --- | | **SQL Server 2025** | Y | Y | Y | N | N | | **SQL Server 2022** | Y | Y | Y | N | N | | **SQL Server 2019** | Y | Y | Y | N | N | | **SQL Server 2017** | N | Y | N | N | N | | **SQL Server 2016** | N | Y | N | N | N | | **SQL Server 2014** | N | Y | N | N | N | | **SQL Server 2012** | N | Y | N | N | N | | **SQL Server 2008 R2** | N | Y | N | N | N | | **SQL Server 2008** | N | Y | N | N | N | ## 3.0 TDE Concepts The SQL server encrypts data with a hierarchical encryption and key management infrastructure. Each layer encrypts the layer below it by using a combination of certificates, asymmetric keys, and symmetric keys. Asymmetric and symmetric keys can be stored outside of the SQL server in an Extensible Key Management (EKM) module. ![Encryption_Hierarchy.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/12715757912724.png) **Figure 1: Encryption hierarchy** Before enabling TDE, a DEK must be created, which is used to encrypt the contents of the database. It is a symmetric key and supported algorithms are AES with 128-bit, 192-bit, or 256-bit keys or three Key Triple DES. After TDE is enabled on a database, the DEK is used to encrypt the contents of the database and the log. When TDE is enabled for any database on the server, TempDB is also encrypted and its DEK is managed internally by SQL Server. TDE also requires creating a Master Encryption Key (MEK), which is created on Fortanix DSM using the EKM module. The recommended algorithm for the master key is RSA 2048 or higher. This MEK is used to encrypt Data Encryption Keys (DEK). See the diagram below for key hierarchy. ![Key_Management.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/12715757893908.png) **Figure 2: Key management** ### 3.1 Creating a Master Encryption Key (MEK) In SQL Transparent Data Encryption (TDE), MEK is an asymmetric key that protects the DEK. The asymmetric key always resides on Fortanix DSM, which secures and ensures compliance for the database server database server. When you restore or attach a TDE database on another server, ensure that the same MEK is present on that server as well. The following is a sample command to create the MEK: ```bash USE master; GO CREATE ASYMMETRIC KEY ekm_login_key FROM PROVIDER [EKM_Prov] WITH ALGORITHM = RSA_2048, PROVIDER_KEY_NAME = 'SQL_Server_Key'; GO ``` Where, - `ekm_login_key` refers to the master key alias on the MSSQL database. - `EKM_Prov` refers to the Fortanix EKM Provider. - `SQL_Server_Key` refers to the key created on Fortanix DSM. > [!NOTE] > NOTE > > The user is not bound to use the same names as mentioned in the commands. ### 3.2 Creating Data Encryption Key (DEK) The DEK is a symmetric key that encrypts the data on the SQL machine. A symmetric key is one that is used for both encryption and decryption. Encryption and decryption by using a symmetric key is fast and suitable for routine use with sensitive data in the database. Run the following commands to create the DEK that will be used for TDE: ```bash USE employee CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER ASYMMETRIC KEY ekm_login_key ; GO ``` Where, - `ekm_login_key` refers to the master key alias on the MSSQL database. ### 3.3 Database Credentials A credential is a record that contains the authentication information (credentials) required to connect to a resource outside of SQL Server. In TDE configuration, this credential contains the Fortanix API key to connect to the Fortanix DSM. *Refer to the*[*Data Security Manager with Microsoft SQL TDE Integration - Before You Begin*](/v1/docs/data-security-manager-with-microsoft-sql-server-tde-integration-before-you-begin)*guide, to understand the API key.* ```bash CREATE CREDENTIAL sa_ekm_tde_cred CREATE CREDENTIAL sa_ekm_tde_cred WITH IDENTITY = 'Identity1', SECRET = '' FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ; GO ``` Where, - `sa_ekm_tde_cred` refers to the name of the credential. - `Identity1` refers to the identity name. The value can be any name. - `EKM_Prov` refers to the Fortanix EKM Provider. - `SECRET` refers to the Fortanix DSM API key. > [!NOTE] > NOTE > > The user is not bound to use the same names as mentioned in the commands. ### 3.4 Database Login (DB Engine) A login is a security principal, or an entity that a secure system can authenticate. ```bash CREATE LOGIN EKM_Login FROM ASYMMETRIC KEY ekm_login_key ; GO ``` Where, - `EKM_Login` refers to the name of the login. - `ekm_login_key` refers to the master key alias on the MSSQL database. > [!NOTE] > NOTE > > The user is not bound to use the same names as mentioned in the commands. ## 4.0 Reference Documents For the step-by-step integration procedure, refer to the following articles in the same sequence as mentioned: - [Data Security Manager with Microsoft SQL TDE Integration - Before You Begin](/v1/docs/data-security-manager-with-microsoft-sql-server-tde-integration-before-you-begin) - [Data Security Manager with Microsoft SQL TDE Integration - Standalone Server Integration](/v1/docs/data-security-manager-with-microsoft-sql-server-tde-integration-standalone-server) - [Data Security Manager with Microsoft SQL TDE Integration - AOG Server Integration](/v1/docs/data-security-manager-with-microsoft-sql-server-tde-integration-always-on-group-aog) - [Data Security Manager with Microsoft SQL TDE Integration - Key Rotation](/v1/docs/data-security-manager-with-microsoft-sql-server-tde-integration-key-rotation) - [Data Security Manager with Microsoft SQL TDE Integration - Backup & Restore](/v1/docs/data-security-manager-with-microsoft-sql-server-tde-integration-backup-restore) - [Data Security Manager with Microsoft SQL TDE Integration - Advanced](/v1/docs/data-security-manager-with-microsoft-sql-server-tde-integration-advanced) Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. ## Related - [Fortanix DSM with Microsoft SQL Server TDE - Before You Begin](/data-security-manager-with-microsoft-sql-server-tde-integration-before-you-begin.md) - [Fortanix DSM with Microsoft SQL Server TDE - Advanced](/data-security-manager-with-microsoft-sql-server-tde-integration-advanced.md) - [Fortanix DSM to Create Tokenization Secret](/using-fortanix-data-security-manager-to-create-tokenization-secret.md) - [Fortanix DSM Key for Generating Certificates](/generating-certificates-using-a-fortanix-data-security-manager-key.md)