1.0 Introduction
This article describes the steps that must be performed before integrating Fortanix-Data-Security-Manager (DSM) with Microsoft SQL Transparent Data Encryption (TDE).
1.1 Prerequisites
Ensure the following:
The Fortanix CNG Client must be installed and configured.
The port 443 must be accessible from the SQL target machine to Fortanix DSM.
Protocol
Inbound/
Outbound
Port Number
Load balancer (Yes/No)
Purpose
TCP
Outbound
443
No
HTTPS – Used for calling REST API. MS-SQL server will access the cluster/SaaS URL on this port.
Each individual node will also need this port open.
The SQL Server must be installed and configured on the target machine.
Administrators are privileged to access SQL Server Management Studio from the target machine.
1.2 Limitations and Restrictions
You must be a highly privileged user (such as a system administrator) to create a database encryption key and encrypt a database. That user must be able to be authenticated by the EKM module.
Upon startup, the database engine must open the database. To do this, you should create a credential that will be authenticated by the EKM and add it to a login that is based on an asymmetric key. Users cannot sign in using that login, but the database engine will be able to authenticate itself with the EKM device.
If the asymmetric key stored by EKM Provider (Fortanix DSM) is lost, the database will not be able to be opened by SQL Server. Hence, it is recommended to never delete or edit SQL Server managed keys from Fortanix DSM manually. Even after key rotation, it is recommended to keep the old keys, so that older backups can be used in contingency scenarios.
Access to install the Fortanix KMS Server file to configure it on the machine and user.
1.3 Permissions
This document uses the following permissions:
To change a configuration option and run the
RECONFIGUREstatement, you must be granted theALTER SETTINGSserver-level permission. TheALTER SETTINGSpermission is implicitly held by the System Administrator and the Server Administrator who hold fixed server roles.Requires
ALTER ANY CREDENTIAL.Requires
ALTER ANY LOGIN.Requires
CONTROLpermission on the database to encrypt the database.Requires
CREATE ASYMMETRIC KEYpermission.
2.0 Fortanix CNG Provider
The Fortanix CNG Provider must be installed on every target machine. Refer to cng-ekm to download the CNG Provider.
FortanixKmsClient.msi installs the Fortanix CNG Provider, as well as an EKM provider and the PKCS#11 library. Next, to configure the CNG client Fortanix CNG Provider communicates with Fortanix DSM for crypto operations.
2.1 Installation
Perform the following steps to complete the installation on your machine:
On the Fortanix KMS Client Setup dialog box, click the Next button.
Figure 1: Fortanix KMS Client Setup
Select the checkbox for I accept the terms in the License Agreement and click the Next Button.
Figure 2: Fortanix KMS Client Setup
Enter the location for installing the Fortanix KMS Client as C:\Program Files\Fortanix\KMS Client\.
Figure 3: Fortanix KMS Client Setup
Click the Install button to install the Fortanix KMS client.
Figure 4: Fortanix KMS Client Setup
After the installation is done, click the Finish button.
Figure 5: Fortanix KMS Client Setup
2.2 Configuring CNG Client
The Fortanix KMS Server URL and proxy information are configured in the Windows registry for the local machine or the current user.
Run the following command to navigate to FortanixKmsClientConfig.exe file:
cd C:\Program Files\Fortanix\KMSClient\The machine key store uses the local machine configuration, and the user key store uses the current user configuration.
For example, run the following command to configure the Fortanix KMS Server URL for the local machine:
FortanixKmsClientConfig.exe machine --api-endpoint {KMS_URL}Where,
KMS_URLrefers to the Fortanix DSM URL. On-premises customers use KMS URL and SaaS. The customers can use the following URLs based on the region.Europe: https://eu.smartkey.io/
United States of America: https://amer.smartkey.io/
For example,
FortanixKmsClientConfig.exe machine --api-endpoint https://<fortanix_dsm_url>Run the following command to configure the Fortanix KMS Server URL for the current user:
FortanixKmsClientConfig.exe user --api-endpoint {KMS_URL} To configure proxy information, add --proxy http://proxy.com or --proxy none to unconfigure proxy.
3.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
3.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
3.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 6: Logging In
3.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.
Figure 7: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
4.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.
Figure 8: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.
Click the SAVE button to add the new application.
The new application has been added to the Fortanix DSM successfully. You can use the app API key to authenticate the CNG client to Fortanix DSM and start making calls to do cryptographic operations.
3.5 Copying the API Key
Perform the following steps to copy the API key from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click the VIEW API KEY DETAILS button.
From the API Key Details dialog box, copy the API Key of the app to use it later.
4.0 Reference Documents
Refer to the following documents to know the integration procedure in the same sequence as mentioned:
Data Security Manager with Microsoft SQL TDE Integration - Standalone Server Integration
Data Security Manager with Microsoft SQL TDE Integration - AOG Server Integration
Data Security Manager with Microsoft SQL TDE Integration - Key Rotation
Data Security Manager with Microsoft SQL TDE Integration - Backup & Restore
Data Security Manager with Microsoft SQL TDE Integration - Advanced