Creating Symmetric Key from external provider
-
Knowing the security objects hierarchy, we can see that in order to create a `Symmetric Key` and encrypt data, we need to create:
1. `Database Master Key` which is protected by password
2. `Certificate` which is protected by the `Database Master key`
3. The `Symmetric Key` itself, which is protect by the `Certificate`
In `Always Encrypted`, we can use `EKM` module to simplify this hierarchy. For example, we can store the certificates in the `Windows Certification Store` and these certificates are protecting our encryption master keys.I am wondering, if I want to use not `Always Encrypted` built-in encryption functionalities, can I use `EKM` module to create and manage my symmetric keys (like it is shown on the diagram). In the CREATE SYMMETRIC KEY documentation we have `provider` option, but not enough information about possible providers and examples.
I am interesting in storing the `Certificate` which is protecting the Symmetric keys or the Symmetric keys in external storage, because in such way the data is separated from the keys and in the database we are storing only references to the keys (like in always encrypted). Windows Certification Store will be best option for me, but Azure Key Vault or something else will work as well, I guess.
Viewing 0 posts
You must be logged in to reply to this topic. Login to reply