We need to encrypt our databases. One of the issues is that in native TDE the security keys are not managed away from the data. Based on what I've read EKM solves this issue.
I'd like to know if anyone who's worked with EKM can chime in here with their experiences. Also, does it always have to interface with a HSM or are there software based solutions that we can install ourselves onto our own hardened servers? Are there any free solutions or are all key management solutions paid?