1.0 Introduction
This article provides detailed steps for seamlessly integrating Microsoft SQL Server with Transparent Data Encryption (TDE) in a database configured for mirroring. The procedures outlined here have been thoroughly tested on two servers: Server 1, serving as the nominal principal node, and Server 2, the nominal mirror node. Notably, the configuration employs Fortanix Hardware Security Modules (HSMs) without shared disk architecture.
These integration steps apply to each database, including both the primary and replicas, for which TDE encryption is to be enabled. Before initiating the integration, it is assumed that the target database:
Already exists.
Is not currently encrypted and does not contain a Data Encryption Key (TDE DEK).
Has never been encrypted previously. If it has, you may encounter errors requiring a transaction log backup.
NOTE
The examples provided herein use a database named
SourceDatabasefor encryption, and the database wrapping key is referenced asSQL_Server_Keyin the Fortanix-Data-Security-Manager (DSM) and asekm_login_keyin the master database. You can customize names and parameters according to your specific requirements. Additionally, these steps also assume that no wrapping key with the same name already exists in either Fortanix DSM or the master database.
Before proceeding with the integration, ensure the following prerequisites:
The database has been recently backed up.
If you have a preferred server for the principal role, ensure a failover to that server.
Ensure that the initial roles (principal or replica) are assigned to each server role.
Follow the subsequent steps in the specified order. The article assumes that the server nodes retain their initial principal or replica state.
NOTE
Ensure that you have performed the steps from the Data Security Manager with Microsoft SQL TDE Integration – Before You Begin guide.
2.0 TDE Configurations
Perform the following procedures on both the primary and secondary replicas.
2.1 Enabling TDE Features
Run the following commands if Extensible Key Management (EKM) is not supported or enabled in the SQL Server Edition:
sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO
Figure 1: Run Commands for Error Scenario
2.2 Creating Cryptographic Provider
Run the following commands to use the correct location of the EKM DLL:
CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = 'C:\Program Files\Fortanix\KmsClient\FortanixKmsEkmProvider.dll' ;
GOWhere,
EKM_Provrefers to the name of the provider defined by the user.
Figure 2: Create a cryptographic provider
2.3 Creating Credentials (SYSadmin)
This section describes the steps to create the credentials to generate the Master Encryption Key (MEK) on the Fortanix DSM using the SQL admin.
Run the following commands to create a credential in your SQL Server Studio that will be used by the system administrators:
CREATE CREDENTIAL sa_ekm_tde_cred WITH IDENTITY = 'Identity1', SECRET = '<DSM_API_KEY>' FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ; GOWhere,
<DSM_API_KEY>refers to the Fortanix DSM API key as copied in Fortanix Data Security Manager with Microsoft SQL Server TDE Integration - Before You Begin.
.png?sv=2022-11-02&spr=https&st=2025-06-17T11%3A09%3A54Z&se=2025-06-17T11%3A25%3A54Z&sr=c&sp=r&sig=RzO2vGY5BTs8aeboDig4YtAb1F4aKGwFRnYlXm%2BvQcs%3D)
Figure 3: Create a credential
Add the credential to a highly privileged user, such as your own domain login, in the format
[DOMAIN\login]:ALTER LOGIN EC2AMAZ-1RDPAEU\Administrator ADD CREDENTIAL "sa_ekm_tde_cred"; GORun the following commands in case there is no domain, and the machine is part of a workgroup or standalone:
ALTER LOGIN LOCALHOST\Administrator ADD CREDENTIAL "sa_ekm_tde_cred"; GO
Figure 4: Command for no domain
If you are not an administrator and hence unable to alter the login, right-click the Properties and select the Object Explorer option. Navigate to Security → Logins → <login user> and map the credentials as shown in the following image:
Figure 4: Map credentials
2.4 Creating an Asymmetric Key
The MSSQL admin has the credentials associated with creating the MEK on the Fortanix DSM. This section describes the steps to create the asymmetric key.
2.4.1 On Principle Replica
Run the following commands to create an asymmetric key stored inside the EKM provider:
USE master ;
GO
CREATE ASYMMETRIC KEY ekm_login_key
FROM PROVIDER EKM_Prov
WITH ALGORITHM = RSA_2048,
CREATION_DISPOSITION=CREATE_NEW,
PROVIDER_KEY_NAME = 'SQL_Server_Key';
GOWhere,
ekm_login_keyrefers to the master key alias on the MSSQL database.EKM_Provrefers to the Fortanix EKM Provider.SQL_Server_Keyrefers to the key created on the Fortanix DSM.
NOTE
It is recommended to add versions to the Fortanix DSM keys for an easier key rotation process.
For example:
USE master;
GO
CREATE ASYMMETRIC KEY ekm_login_key_v1
FROM PROVIDER [EKM_Prov]
WITH ALGORITHM = RSA_2048,
CREATION_DISPOSITION=CREATE_NEW,
PROVIDER_KEY_NAME = 'SQL_Server_Key_v1';
GO
Figure 5: Create an asymmetric key
2.4.2 On Replica Nodes
Run the following commands to create an asymmetric key on all the replica nodes:
USE master
CREATE ASYMMETRIC KEY ekm_login_key
FROM PROVIDER EKM_Prov
WITH PROVIDER_KEY_NAME='SQL_Server_Key',
CREATION_DISPOSITION = OPEN_EXISTING;
GOWhere,
ekm_login_keyrefers to the master key alias on the MSSQL database.EKM_Provrefers to the Fortanix EKM Provider.SQL_Server_Keyrefers to the key created on the Fortanix DSM.
2.5 Creating Credentials (DB Engine)
Run the following commands to create a credential that will be used by the database engine:
USE master;
CREATE CREDENTIAL ekm_tde_cred
WITH IDENTITY = 'Identity2',
SECRET = '<DSM_API_KEY>'
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov;Where,
ekm_tde_credrefers to the name of the credentials.Identity2refers to the identity name. The value can be any name.EKM_Provrefers to the Fortanix EKM Provider.SECRETrefers to the Fortanix DSM API key as copied in Fortanix Data Security Manager with Microsoft SQL Server TDE Integration - Before You Begin.
.png?sv=2022-11-02&spr=https&st=2025-06-17T11%3A09%3A54Z&se=2025-06-17T11%3A25%3A54Z&sr=c&sp=r&sig=RzO2vGY5BTs8aeboDig4YtAb1F4aKGwFRnYlXm%2BvQcs%3D)
Figure 6: Create credential for database engine
2.6 Creating Login (DB Engine)
Run the following commands to add a login used by TDE and add the new credential to the login:
CREATE LOGIN EKM_Login
FROM ASYMMETRIC KEY ekm_login_key ;
GO
ALTER LOGIN EKM_Login
ADD CREDENTIAL ekm_tde_cred ;
GOWhere,
ekm_login_keyrefers to the master key alias on the MSSQL database. This key is already created in Section 2.4- Creating an Asymmetric Key.EKM_Loginrefers to the login name.ekm_tde_credrefers to the key created on Fortanix DSM. This credential is already created in Section 2.3- Creating Credentials (SYSadmin).
Figure 7: Add new credential to login
3.0 Enabling Encryption
Perform the following steps only on the principal node and monitor the status using the monitoring command on the principal or replica nodes.
3.1 Creating Data Encryption Key (DEK)
Run the following commands to create the Data Encryption Key (DEK) that will be used for TDE:
USE employee
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY ekm_login_key ;
GOWhere,
employeerefers to the database name.ekm_login_keyrefers to the master key alias on the MSSQL database.
3.2 Enabling TDE on Database
Run the following commands to alter the database to enable Transparent Data Encryption (TDE):
ALTER DATABASE employee
SET ENCRYPTION ON ;
GO
Figure 8: Enable TDE
4.0 Monitoring TDE Progress
NOTE
You must monitor the TDE on all the replicas to ensure that TDE is enabled on all the target servers.
SQL Server keeps track of the encryption progress, and we can pull that information by querying sys.dm_database_encryption_keys. Particularly, ‘Percent_Complete’ and ‘encryption_state’ are the two columns that are required to understand the progress of TDE. ‘encryption_state’ column returns an integer value (0-6) which indicates the encryption status of the database and ‘percent_complete’ column tells us the percent completed of the DB encryption state change.
Encryption_state (int) | Description |
|---|---|
0 | No database encryption key present, no encryption |
1 | Unencrypted |
2 | Encryption in progress |
3 | Encrypted |
4 | Key change in progress |
5 | Decryption in progress |
6 | Protection changes in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed). |
The following T-SQL statement can be used to monitor TDE progress or status:
SELECT DB_NAME(database_id) AS DatabaseName, encryption_state,
encryption_state_desc =
CASE encryption_state
WHEN '0' THEN 'No database encryption key present, no encryption'
WHEN '1' THEN 'Unencrypted'
WHEN '2' THEN 'Encryption in progress'
WHEN '3' THEN 'Encrypted'
WHEN '4' THEN 'Key change in progress'
WHEN '5' THEN 'Decryption in progress'
WHEN '6' THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed.)'
ELSE 'No Status'
END,
percent_complete,encryptor_thumbprint, encryptor_type FROM sys.dm_database_encryption_keysThe output of this query comes in handy to manage TDE.