September 20, 2018 at 3:15 pm
We use an external HSM device to create and store keys and use it for TDE. Our auditors are asking questions about where the keys are store. So obviously the key is stored in the external HSM device.
In this link, under step 5,
USE master ;
GO
CREATE ASYMMETRIC KEY ekm_login_key
FROM PROVIDER [EKM_Prov]
WITH ALGORITHM = RSA_512,
PROVIDER_KEY_NAME = 'SQL_Server_Key' ;
GO
September 25, 2018 at 2:29 pm
jesijesijesi - Thursday, September 20, 2018 3:15 PMWe use an external HSM device to create and store keys and use it for TDE. Our auditors are asking questions about where the keys are store. So obviously the key is stored in the external HSM device.In this link, under step 5,
USE master ;
GO
CREATE ASYMMETRIC KEY ekm_login_key
FROM PROVIDER [EKM_Prov]
WITH ALGORITHM = RSA_512,
PROVIDER_KEY_NAME = 'SQL_Server_Key' ;
GO
- Does the above staement create a copy of the key in master DB also? If not what does it create?
No, It creates an asymmetric key that is encrypted using the provider.
The asymmetric key ekm_login_key will be stored in the master database. That's what it creates.
Sue
September 26, 2018 at 12:24 pm
There isn't a security risk here. I'd just pass this to the auditor and let them find a hole: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/extensible-key-management-ekm?view=sql-server-2017
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply