Download eBook (PDF) - Red Gate Software

4 – Encryption Basics for SQL ServerYou can query sys.cryptographic_providers to verify that theprovider was successfully created.The use of EKM, by default, is disabled. To begin to use this feature of SQLServer you will need to first execute the script in Listing 4-7.sp_configure 'show advanced',1;GORECONFIGUREGOsp_configure 'EKM provider enabled',1;GORECONFIGUREGOListing 4-7: Enabling EKM.Once the cryptographic providers have been created and EKM is enabled thesekeys can be utilized to perform encryption and decryption of other keys anddata through the standard built-in cryptographic functions that are providedwith SQL Server.Backing up KeysWhenever the topic of encryption is being discussed there is a question thatinevitably arises. This question is in regard to how encrypted data can berecovered if the key is lost or corrupted. The answer is a short one: the data willbe lost. That is unless you have backed up all of the keys that are used in theencryption effort.When the database is backed up through the built-in SQL Server database backup process, some keys are included in the back up file and others are not. Theasymmetric keys and symmetric keys that are created within the database, aswell as the database encryption key that is used in the TDE feature, are allincluded in the database backup. The service master key, database master keyand certificates are not included in the database backup. Each of these keysmust be backed up as a separate task, using the following commands:• BACKUP SERVICE MASTER KEY• BACKUP MASTER KEY• BACKUP CERTIFICATE92